Scan using an OpenAPI specification file

You can use an OpenAPI specification file to automatically scan your OpenAPI, which provides better coverage by allowing you to update parameters and include all endpoints. This ensures a more thorough and accurate scan.

Before you begin

Note: If the parameter value is an uploaded file, use Scan using a Postman collection.

Procedure

  1. Go to Configuration > API.
  2. Select OpenAPI specification file and click Add specification file.
    Note: AppScan Standard does not support the OpenAPI specification version '3.1.0'.
  3. Enter the URL or click Browse to choose the file from your local drive, then click Continue. AppScan accepts only JSON or YAML formats for the specification file.
    AppScan parses the specification file and displays the detected API parameters in the Edit additional parameters table.
  4. Configure the base URL if not automatically populated.
  5. AppScan automatically detects parameters' values during explore, but you can manually update parameters for better performance in cases where the value cannot be detected automatically during scan. Edit the parameter values by matching them with their relevant URLs.
    Note: If the parameter name and value applies for all endpoints, select the Apply this value to all parameters checkbox in the Edit Parameter dialog.
    It is recommended to update the parameters for better scan coverage, ensuring all endpoints are covered and avoiding request failures.
  6. Configure API authentication if required. Based on your specification file, Configure API key and/or Configure basic authentication (HTTP) links are displayed to configure authentication. If the links are not displayed, you can manually configure the authentication through API key, HTTP Authentication, or Login Management (record login or use automatic login) .
  7. To avoid exceeding rate limit failures during exploration, adjust the Max. request rate in the Communication and proxy tab.
  8. Once configuration is complete, you can start a scan.
    AppScan starts an automatic scan.
    Note: If you add a local file instead of a URL to a configuration, you cannot export it as a SCANT (template) file, as the specification file cannot be included in a template. You must either remove the specification file or save as a SCAN file.

What to do next

Once the scan is complete, you can view the parameters found during the scan on the Automatic Form-Fill page, as well as the requests sent and parameters found on the Data page.