Postman API Scan Using WI.exe or WebInspect REST API

This topic describes the process for conducting a scan using a Postman collection in the Fortify WebInspect REST API or Wi.exe. To conduct a scan using the API Scan Wizard, see Using the API Scan Wizard.

Recommendation

Fortify recommends that you run only one scan at a time. When using SQL Express, in particular, depending on the size of the site, conducting concurrent (or parallel) scans might result in high usage of RAM, CPU, and disk resources on the Fortify WebInspect host.

Process

The following table describes the process for conducting a scan using a Postman collection.

Stage Description
1.

Do the following in Postman:

  1. Create a Postman collection file, following the guidelines mentioned previously in this topic.

  2. Save each API call in Postman individually.

  3. Click Runner to open the Newman command-line Collection Runner.

2.

Do the following in Newman command-line Collection Runner:

  1. With the collection open in the Collection Runner, ensure that the API calls are in the correct order for execution.

  2. Click Run <Collection Name>.

  3. Inspect the responses from each call to ensure the requests were successful.

3.

Do one of the following in Fortify WebInspect:

  • To use the Fortify WebInspect REST API:

    1. Configure and start the Fortify WebInspect API. See Configuring the Fortify WebInspect REST API.

    2. Access the Postman API endpoint in the Swagger UI. See Accessing the Fortify WebInspect REST API Swagger UI.

    3. Configure the endpoint according to the instructions in the Swagger UI.

    4. Execute the endpoint sample scripts from the Swagger UI or your API tool of choice.

      Important! Include a scan settings file with the appropriate settings that provide access to the site in your Postman collection. For example, include the correct allowed hosts, proxy settings, and so on. If you do not specify a settings file, then the default scan settings from Fortify WebInspect are applied to the scan.

  • To use Wi.exe:

    1. Launch the CLI as described in Command-line Execution.

    2. Construct your command using the Postman Scans options described in Using wi.exe.
4. The endpoint or CLI command returns the scan ID (GUID) and the results of the Postman collection.