API Security Configuration Options

The following table shows the configuration options available for the API Security scanner. These configuration options can be applied on the Account > Project > Scan levels. These configurations can be set via the web application (UI), CLI or API, as shown in the table below.

Notice

API configs can be configured on the account or project level using the Configuration API or on the scan level as part of the request body of the POST /scans API. When using the POST /scans API the scan.config.apisec prefix is left out.

Parameter	Values	Notes	CLI	API
Swagger folder/file filter	Swagger folder path or any folder/file type. Allows users to select specific folders or files that they want to include or exclude from the code scanning process.	Including a file type - .java Excluding a file type - !.java Use “,” sign to chain file types. For example: .java,.js The parameter also supports including/excluding folders. regex is not supported. Notice For details on the filter application logic, see here.		`scan.config.apisec.swaggerFilter` Tenant/Project example: { "key": "scan.config.apisec.swaggerFilter", "value": ".java,.js", "allowOverride": true } Scan example: "config" [ { "type": "apisec", "value": { "swaggerFilter": ".java,.js" } } ]
uuid^1]	The upload link to your Swagger file.	See Workflow for API Scanner for the complete process of uploading a Swagger file and generating this upload link		`uuid` Example: "config" [ { "type": "apisec", "value": { "uuid": "<link_to_your_swagger>" } } ]

Parameter

Values

Notes

CLI

API

Swagger folder/file filter

Swagger folder path or any folder/file type.

Allows users to select specific folders or files that they want to include or exclude from the code scanning process.

Including a file type - *.java
Excluding a file type - !*.java
Use “,” sign to chain file types.
For example: *.java,*.js
The parameter also supports including/excluding folders.
regex is not supported.

Notice

For details on the filter application logic, see here.

scan.config.apisec.swaggerFilter

Tenant/Project example:

  {
    "key": "scan.config.apisec.swaggerFilter",
    "value": "*.java,*.js",
    "allowOverride": true
  }

Scan example:

"config" [
  {  
    "type": "apisec",
    "value": {
      "swaggerFilter": "*.java,*.js"
    }
  }
]

uuid^1]

The upload link to your Swagger file.

See Workflow for API Scanner for the complete process of uploading a Swagger file and generating this upload link

uuid

Example:

"config" [
  {  
    "type": "apisec",
    "value": {
      "uuid": "<link_to_your_swagger>"
    }
  }
]

1] This configuration is only available via API and only on the scan level.

Filter Application Logic

Filters are applied in the order they appear in the expression.
When both include and exclude filters are used, include filters must come first.

Why this order matters

If the include filters come first (correct order) the system starts with an empty selection set, then adds content from the original sources based on the include filters. The exclude filters are then applied to that populated set, successfully removing any unwanted items. The resulting, correctly filtered selection set is what gets sent for scanning.

If the exclude filters are applied first (incorrect order), the system begins with an empty selection set and attempts to remove content - which has no effect. Only afterward does it apply the include filters, adding content from the source set to the selection set. This results in the exclude rules being effectively ignored.

In this section:

API Security Configuration Options

Notice

Notice

Filter Application Logic

Why this order matters

Search results