Launch an API Scan

Required Additional License: Tenable Web App Scanning

Required Tenable Web App Scanning User Role:  Scan Operator, Standard, Scan Manager, or Administrator

Required Scan Permissions: Can Control

In Tenable Web App Scanning, you can create discovery, assessment, and API scans using scan templates. For general information about templates and settings, see Scan Templates and Settings.

Before you begin:

• Have the swagger file used to describe the API available for reference.

To launch a Tenable Web App Scanning API scan:

1. In the left navigation plane, click Scans.

   The Tenable Web App Scanning Scans page appears.

   Note: If your Tenable Web App Scanning license ages out, your Tenable Web App Scanning scans no longer appear in the scans table.

2. In the top navigation, select Web Application Scans.

3. Click the Create Scan button in the upper right-hand corner of the page.

   The Scans Template page appears.

4. Select the API scan template.

5. In the Settings section of the Create a Scan - API Scan page, populate the following minimum required settings:

   Note: While not required, Tenable recommends putting all scans on a repeating schedule. For more information about Tenable Web App Scanning Scan schedules, see Schedule.

   • Name
   • Scanner
   • Target

6. In the Scope section, first select the appropriate API (either REST via Open API or GraphQL), and then follow one of these methods:

   Note: The RESTful API file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.

   OpenAPI (Swagger):

   • Enter the URL of your OpenAPI (Swagger) file:

     1. Select URL in the drop-down list

     2. Enter the URL of your OpenAPI (Swagger) file in the text box.

   • Upload an OpenAPI (Swagger) file:

     Note: Attaching a specification file larger than 1 MB to an API scan, results in an error message. However, this limitation does not exist for pulling the specification files directly from URL's or via Introspection (for GraphQL).

     1. Select File in the drop-down list.

     2. Click Add File

        Your system's file manager appears.

     3. Select your OpenAPI (Swagger) file.

        The OpenAPI (Swagger) file is uploaded to your scan configuration.

   GraphQL API:

   • Enter the URL of your GraphQL API schema:

     1. Select URL in the drop-down list

     2. Enter the URL of your GraphQL API schema in the text box.

   • Upload a GraphQL API schema file:

     Note: The GraphQL Schema file should be GraphQL SDL format compliant and exists as a .graphql file extension.

     1. Select File in the drop-down list.

     2. Click Add File

        Your system's file manager appears.

     3. Select your GraphQL API schema file.

        The GraphQL API schema file is uploaded to your scan configuration.

   • Use the Introspection option GraphQL API schema:

     1. Select Introspection in the drop-down list

        The scanner reaches out to the scan target URL and attempts to introspect the GraphQL schema

7. (Optional) Enter any URLs that you want to exclude from your scan in the Regex for excluded URLs textbox.

8. (Optional) Select, or deselect, the Exclude Binaries checkbox.

   Note: When unselected, the scanner attempts to audit the URL for which the response is in the binary format. Therefore the scanner cannot read the URL, increasing web application detection surface, but also causing longer scan times.

9. Click Save.

   Tenable Vulnerability Management returns to the list of configured Tenable Web App Scanning scans.

10. To launch the scan, click the button in the Actions column for the scan that needs to be run and select Launch.

11. When the scan has been completed, click the scan to view the results.