Fortify ScanCentral SAST API
Fortify ScanCentral SAST provides a RESTful API that enables you perform tasks described in the following table. The tasks are grouped by the grouping in the API Documentation (Swagger UI).
| Tasks you can perform | Request group |
|---|---|
| Retrieve the scan requests from the Controller, report job status, and upload artifacts | sensor-controller |
| Work with scan jobs such as running a new scan or canceling a job | job-controller |
| Get information from the Controller such as the Fortify Software Security Center URL | info-controller |
| Check for client or sensor updates | update-controller |
| Check to see if the Controller is running | core-controller |
To use the Fortify ScanCentral SAST API, your application makes an HTTP request and parses the response. The Fortify ScanCentral SAST API uses JSON and XML as its communication format and the standard HTTP methods of GET, POST, and DELETE. URIs have the following structure:
<protocol>://<controller_url>/rest/<api-version>/<endpoint>
The following is an example cURL:
curl -X 'GET' \ 'https://my_ctrl_host:8080/scancentral-ctrl/rest/v4/job/a2f0fe34-f810-4c76-8e0b-86dfb4f40c9c/status' \ -H 'accept: */*' \ -H 'fortify-client: my_secret'
Authentication
Authenticate your API request with a Fortify ScanCentral SAST authentication token. Use the value of the client_auth_token or the worker_auth_token from the config.properties file for the Controller depending on the request. Set the same authentication token in the fortify-client header that is set for the client_auth_token. Similarly, set the same authentication token in the fortify-worker header that is set for worker_auth_token. The following table lists which authentication token is used for each request group.
| Request group |
client_auth_token
|
worker_auth_token
|
|---|---|---|
| sensor-controller | x | |
| job-controller | x | |
| info-controller | x | x |
| update-controller | x | x |
| core-controller | x |
Accessing the Fortify ScanCentral SAST API documentation (Swagger UI)
The documentation describes the input, output, and API endpoints. It also provides the ability to test the endpoints before using them in production.
To access this documentation:
-
Configure the credentials for access to the documentation in the Controller
config.propertiesfile with the two properties:swagger_usernameandswagger_password.For more information, see Configuring the Controller.
-
Open a browser and visit <controller_url>/rest/swagger-ui/index.html.
OpenAPI documentation in JSON format is available at <controller_url>/rest/api-docs.