Launch an API Scan

Required Additional License: Tenable Web App Scanning

Required Tenable Web App Scanning User Role:  Scan Operator, Standard, Scan Manager, or Administrator

Required Scan Permissions: Can Control

Note: When you launch a scan, the time the scanner takes to complete the scan varies depending on the system load. To prevent lengthy scan times, avoid launching an excessive number of scans simultaneously. Excessive numbers of concurrent scans may exhaust the system's scanning capacity. If necessary, Tenable Web App Scanning automatically staggers concurrent scans to ensure consistent scanning performance.

In Tenable Web App Scanning, you can create discovery, assessment, and API scans using scan templates. For general information about templates and settings, see Scan Templates and Settings.

Before you begin:

  • Have the swagger file used to describe the API available for reference.

To launch a Tenable Web App Scanning API scan:

  1. In the left navigation plane, click Scans.

    The Tenable Web App Scanning Scans page appears.

    Note: If your Tenable Web App Scanning license ages out, your Tenable Web App Scanning scans no longer appear in the scans table.

  2. In the top navigation, select Web Application Scans.

  3. Click the Create Scan button in the upper right-hand corner of the page.

    The Scans Template page appears.

  4. Select the API scan template.

  5. In the Settings section of the Create a Scan - API Scan page, populate the following minimum required settings:

    Note: While not required, Tenable recommends putting all scans on a repeating schedule. For more information about Tenable Web App Scanning Scan schedules, see Schedule.

    • Name
    • Scanner
    • Target

  6. In the Scope section, add the OpenAPI (Swagger) file for the API you are scanning in one of the following ways:

    Note: The RESTful API file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.

    • Enter the URL of your OpenAPI (Swagger) file:

      1. Select URL in the drop-down list

      2. Enter the URL of your OpenAPI (Swagger) file in the text box.

    • Upload an OpenAPI (Swagger) file:

      Note: Attaching an OpenAPI (Swagger) file larger than 1 MB to an API scan, results in an error message. For more information on this limit, see the Knowledge Article. For more information on Swagger specification files. see OpenAPI (Swagger) Specification.

      1. Select File in the drop-down list.

      2. Click Add File

        Your system's file manager appears.

      3. Select your OpenAPI (Swagger) file.

        The OpenAPI (Swagger) file is uploaded to your scan configuration.

  7. (Optional) Enter any URLs that you want to exclude from your scan in the Regex for excluded URLs textbox.

  8. (Optional) Select, or deselect, the Exclude Binaries checkbox.

    Note: When unselected, the scanner attempts to audit the URL for which the response is in the binary format. Therefore the scanner cannot read the URL, increasing web application detection surface, but also causing longer scan times.

  9. Click Save.

    Tenable Vulnerability Management returns to the list of configured Tenable Web App Scanning scans.

  10. To launch the scan, click the More button in the Actions column for the scan that needs to be run and select Launch.

  11. When the scan has been completed, click the scan to view the results.

Note: Tenable Web App Scanning aborts scans that remain in pending status for more than four hours. If Tenable Web App Scanning aborts a scan, modify your scan schedules to reduce the number of overlapping scans. If you still have issues, contact Tenable Support.