Configuring Scan Details for API and Web Service Scans

The default policy for API and Web service scans is the API policy. You can select a different policy and select other options for the scan in the Detailed Scan Configuration page of the API Scan Wizard.

Selecting a Policy for API Scans

By default, the API policy is selected for API scans. However, you can select a different policy if needed.

Note: The default policy for legacy SOAP Web Service scans is the SOAP policy. You cannot change the policy for legacy scans.

To select a different policy:

  1. In the Audit Depth (Policy) area, select a policy from the drop-down list.

  2. Proceed to Configuring Additional Settings for API and Web Service Scans.

Launching the Web Service Test Designer

If you are configuring a Web Service Scan, you might want to launch the Web Service Test Designer to confirm that the intended behavior of the imported WSD or WSDL file is correct.

To launch the Web Service Test Designer:

  1. Click Design.

    The Web Service Test Designer opens, with the imported WSDL in view.

  2. Edit the file as needed.

    For more information, see the Web Service Test Designer Help or the Micro Focus Fortify WebInspect Tools Guide.

  3. In the Web Service Test Designer, save the WSD file.

  4. Proceed to Configuring Additional Settings for API and Web Service Scans.

Configuring Additional Settings for API and Web Service Scans

Optionally, you may select or configure additional settings in the Settings section as described in the following table.

If you want to... Then...
Use the stand-alone proxy server

Select Launch and Direct Traffic through Web Proxy.

Note: This option is not available if you are scheduling a scan.
Capture and display every HTTP request sent by Fortify WebInspect during the scan Select Enable Traffic Monitor.
Reuse false positives that have already been identified

  1. Select Import False Positives.

  2. Click the select scans link to select one or more scans from which to import false positives.

Add allowed hosts

  1. In the Add Allowed Hosts section, click Add.

  2. On the Specify Allowed Host dialog box, enter a URL (or a regular expression representing a URL).

    Note: When specifying the URL, do not include the protocol designator (such as http:// or https://).

  3. If you entered a regular expression for the allowed host, select Use Regular Expression.

    Tip: For assistance creating a regular expression, click  (to the right of the Allowed Host box).

  4. Click OK.

    The URL is added to the Allowed Hosts list.

What's Next?

To save the settings, run the scan, or schedule the scan, click Next and proceed with Saving Settings or Starting the API Scan .