Scanning an API with wi.exe

You can scan the following API types from the command-line interface (CLI) using wi.exe:

GraphQL
gRPC
OData
SOAP
Swagger

In the command, you can point to a definition file or an endpoint for the service. Optionally, you can create a scan configuration file that includes additional information, such as authentication and proxy settings, and point to the settings file in the command.

Process Overview

The following table describes the process for scanning an API with wi.exe.

Stage Description

Stage	Description
1.	Optionally, prepare an API scan configuration file (JSON). For more information, see Understanding the API Scan Configuration File. Tip: If you do not need any custom configuration, such as authentication, a proxy, or a service path that is different than the URL, then you do not need to create a scan configuration file.
2.	Open the CLI and run a scan using `wi.exe` with the `-api` option as shown in the following examples. `wi.exe -xd -api SOAP -u "D:\Development\soapConfig.json"` `wi.exe -api GraphQL -u "http://localhost:5013/graphql" -tm -pc "C:\ProgramData\hp\HP WebInspect\Policies\<custom_policy>.policy"` For more information on wi.exe options, see Using wi.exe.
3.	To view the results, open the scan in Fortify WebInspect. The scan name will be `API Assessment <API_Type> <Service_URL>`. Note: You cannot view the scan in Fortify WebInspect until the scan has completed.

Optionally, prepare an API scan configuration file (JSON). For more information, see Understanding the API Scan Configuration File.

Tip: If you do not need any custom configuration, such as authentication, a proxy, or a service path that is different than the URL, then you do not need to create a scan configuration file.

Open the CLI and run a scan using wi.exe with the -api option as shown in the following examples.

wi.exe -xd -api SOAP -u "D:\Development\soapConfig.json"

wi.exe -api GraphQL -u "http://localhost:5013/graphql" -tm -pc "C:\ProgramData\hp\HP WebInspect\Policies\<custom_policy>.policy"

For more information on wi.exe options, see Using wi.exe.

To view the results, open the scan in Fortify WebInspect. The scan name will be API Assessment <API_Type> <Service_URL>.

Note: You cannot view the scan in Fortify WebInspect until the scan has completed.

Important Considerations About Definition Files

Consider the following facts when configuring your scan settings file or constructing your CLI command:

Fortify WebInspect attempts to generate the definition from the URL provided in the CLI command. It assumes that the API endpoint is the same URL, but without the file name. If your service is at the same location as your definition file, which is generally the case for GraphQL, then providing a URL will work. However, the definition may be in a different location for SOAP and gRPC.
The GraphQL API must have introspection enabled to download the schema contents for the scan. If you do not want to enable introspection, you can perform a full schema query (an introspection query). You can then place the response into the APIDefinition setting in the JSON file.

Recommendations

Follow these recommendations when conducting an API scan using wi.exe:

An API scan uses the API discovery engine regardless of the policy used. However, if the API discovery check is not enabled in the policy, then it will not appear in the findings. For this reason, Fortify recommends that you use a policy that has the API discovery check enabled.
Fortify recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the Fortify WebInspect host.