API Scanning

6min
The --scanMode=apiscan option loads a ruleset that is tuned for performing scans against  openapi, soap, or graphql APIs. API scanning combines both passive rules and active rules, meaning common misconfigurations and vulnerabilities will be located using the passive ruleset, as well as actively trying to attack the endpoints using the active ruleset.
Run a Passive Only API Scan
Active API scans can take significant time to run, especially for larger APIs, therefore running these scans frequently is not always possible. However, performing frequent CI/CD scans against APIs is achievable by only running the passive API ruleset. This will not catch all the issues that an active scan will, however it can be a great baseline verification of the API after each commit or deploy.
Use the --otherOptions="-S" parameter to run only the passive ruleset.
docker run -v c:\local-path:/zap/wrk/:rw -it --rm soosio/dast --clientId=<soos_client_id> --apiKey="<soos_api_key>" --projectName="<project_name>" --scanMode=apiscan --otherOptions="-S" --apiScanFormat=openapi <my-spec-file>.json
Scanning APIs Using OpenAPI Spec Files
There are two options for scanning APIs using an OpenAPI spec file, either pass the URL of the spec file or point to a local spec file.
Scanning a Hosted OpenAPI Spec File
Often OpenAPI spec files are deployed with the APIs they are defining. As long as the spec file is available, it's easy to scan directly from the hosted location. If the server URL in the spec file needs to be updated, this can be accomplished by passing the --otherOptions="-o 'https://new_server_url'" parameter, otherwise simply omit this parameter.
docker run -v c:\local-path:/zap/wrk/:rw -it --rm soosio/dast --clientId=<soos_client_id> --apiKey="<soos_api_key>" --projectName="<project_name>" --scanMode=apiscan --otherOptions="-o 'https://new_server_url'" --apiScanFormat=openapi https://<my-hosted-spec-file>.json
If the hosted spec file requires authentication, refer to Running Authenticated DAST Scans﻿for example use request header authentication by including the --requestHeaders parameter.
docker run -v c:\local-path:/zap/wrk/:rw -it --rm soosio/dast --clientId=<soos_client_id> --apiKey="<soos_api_key>" --projectName="<project_name>" --scanMode=apiscan --requestHeaders="x-apikey: <my-api-key>" --otherOptions="-o 'https://new_server_url'" --apiScanFormat=openapi https://<my-hosted-spec-file>.json
Scanning a Local OpenAPI Spec File
Hosted OpenAPI spec files are not always available, or it may simply be easier to grab the spec file from a previous step in a build process.  An additional advantage of scanning a local spec file is that, the server URL(s) and/or API endpoint paths can be updated. This option works even if the spec file isn't available locally, by using a tool such as curl to download the spec file, then using a tool such as jq to modify the JSON, before passing the local file to the DAST CLI.
The following example scans a local spec file my-spec-file.json (assuming the server url is correct or has previously been updated).
docker run -v c:\local-path:/zap/wrk/:rw -it --rm soosio/dast --clientId=<soos_client_id> --apiKey="<soos_api_key>" --projectName="<project_name>" --scanMode=apiscan --apiScanFormat=openapi <my-spec-file>.json
Further Configurations
﻿Running Authenticated DAST Scans﻿ 
﻿Excluding DAST Scan Rules﻿ 
﻿Adjusting Scan Times﻿ 
﻿
Full (Active) Web App Scanning
Excluding DAST Scan Rules