Understanding the API Scan Configuration File

The following table describes the parameters available for use in the JSON configuration file.

Important! You must escape all double quotation marks that are inside double quotation marks in the JSON file. Use one backslash (\) in front of each quotation mark to escape. For example:

"Setting": "Value \"Value Text Inside Quotes\""

Parameter	Description
`APIDefinition`	Points to the service definition location, which is a specific URL. Each API service uses a specific type of file, as follows: SOAP uses a Web Service Definition Language (WSDL) file. gRPC uses a `.proto` file . GraphQL uses an introspection query or endpoint, such as `introspection-query.graphql`. The `APIDefinition` does not need to be a URL. It can be a URL or the contents of the API definition. For example, you can put a file path to the definition file on your local machine. If definition location points to an HTTP URL or a directory path, Fortify WebInspect downloads the content and replaces the URL or path with the content. Thus, the whole definition file is stored inside the settings.
`Type`	Indicates the type of API service being scanned. Possible values are: `GraphQL` `gRPC` `SOAP`
`Schemes`	Indicates the protocol used by the service, either `http` or `https` or both. Important! Schemes must be defined as a JSON array regardless of whether one or many values are used. The following are examples of arrays: `[ "http" ]`, `[ "http", "https" ]`
`Host`	Indicates the host name or URL where the service is running. Tip: This is most likely the same as the API definition root URL.
`APIVersion`	Primarily used for SOAP, allows filtering of operations by a specific version. Possible values are: `Legacy` – filters against the lowest supported version. `Mixed` – uses a combination of `Legacy` and `Newest`, depending on what is available. `Newest` – the default setting, filters against the latest version.
`ServicePath`	Specifies the directory path to the service.
`AuthProviders`	Optionally, identifies the authentication type, such as a transport bearer token. For more information about `AuthProviders` parameter, see Understanding API AuthProviders Configuration.
`Proxy`	Optionally, specifies proxy settings. `Proxy` requires the following parameters: `Host` – Indicates the host name or URL where the proxy is running `Port` – Indicates the port number used by the proxy server `UserName` – Optionally, identifies the user account for accessing the proxy server `Password` – Optionally, specifies the password for the user profile Important! Currently, only Basic authentication is supported.
`preferredContentType`	Optionally, sets the preferred content type of the request payload. If `preferredContentType` is in the list of supported content types for an operation, the generated request payload will be of that type. Otherwise, the first content type listed in an operation will be used.
`excludeOperations`	Optionally, defines a deny list of operation IDs that should be excluded from the output, expressed as an array of operation IDs. Example: `[ 'operation1', 'operation2', 'operationN' ]`
`includeOperations`	Optionally, defines an allow list of operation IDs that should be included in the output, expressed as an array of operation IDs . Example: `[ 'operation1', 'operation2', 'operationN' ]`
`parameterRules`	Optionally, defines specific values for a parameter when the default value is not appropriate or when the parameter is not defined in the API definition. Example: A parameter, such as an authorization header which is not defined in the API definition, needs to be injected into every request. The property is expressed as an array of 'parameterRule' objects. The 'parameterRule' objects are described in Understanding Parameter Rule Objects.

For sample JSON configuration files, see API Scan Configuration File Samples.