Scan using an OpenAPI description file

You can use an OpenAPI description file to automatically scan your OpenAPI, which provides better coverage by allowing you to update parameters and include all endpoints. This ensures a more thorough and accurate scan, helping to identify potential issues across the entire API.

Procedure

  1. Go to Configuration > API and Select OpenAPI.
  2. Select OpenAPI description file and click Add description file.
  3. Enter the URL or click Browse to choose the file from your local drive, then click Continue. AppScan accepts only JSON or YAML formats for the description file.
    AppScan parses the data and loads it into the table of Additional Parameters.
  4. Configure the base URL if not automatically populated.
  5. AppScan automatically detects parameters' values during explore, but you can manually update parameters for better performance in cases where the value cannot be detected automatically during scan. Edit the parameter values by matching them with their relevant URLs.
    It is strongly recommended to update the parameters for better scan coverage, ensuring all endpoints are covered and avoiding request failures.
  6. Configure API authentication if required. Based on your description file, Configure API key and/or Configure basic authentication (HTTP) links are displayed to configure authentication. If the links are not displayed, you can manually configure the authentication through API key, HTTP Authentication, or Login Management that ensures better scan coverage covering most endpoints and avoiding request failures.
    If AppScan does not use the parameter values you updated, you can either:
    • Select the Apply this value to all parameters checkbox in the Edit Parameter dialog.
    • If the value applies only to a specific path, follow the steps in Automatic Form-Fill and include an item with a relative path (the full path without the base URL) in addition to the item containing the full URL.

      form-fill parameter using relative path

  7. To avoid exceeding rate limit failures during exploration, adjust the Max. request rate in the Communication and proxy tab.
  8. Once configuration is complete, you can start a scan.
    AppScan starts an automatic scan.
    Note: If you add a local file instead of a URL to a configuration, you cannot export it as a SCANT (template) file, as the description file cannot be included in a template. You must either remove the description file or save as a SCAN file.

What to do next

Once the scan is complete, you can view the parameters found during the scan on the Automatic Form-Fill page, as well as the requests sent and parameters found on the Data page.