API definition scan

Prisma Cloud scans the API definition files and generates a report for any errors, or shortcomings such as structural issues, compromised security, best practices, and so on. API definition scan supports scanning OpenAPI 2.X and 3.X definition files in either YAML or JSON formats.
You can use the following methods to scan an API definition file:
  • Upload API definition file to Console
  • Run twistcli, a CLI tool aimed for CI/CD. Twistcli scans the API definition file and returns a full report with issues.
  • Import an OpenAPI definition file into a WAAS app: When you import an OpenAPI definition file into a WAAS app, the Console automatically scans for issues. You can view the full report of the scan by navigating to
    Monitor
    >
    WAAS
    >
    API definition scan
    .

twistcli reference for scanning API definition files

Run the following command:
$ ./twistcli waas openapi-scan </path/to/file/example.yaml>
Syntax
:
twistcli waas openapi-scan [command options] [arguments...]
OPTIONS
:
  • address value: Prisma Cloud Console URL. This is the value twistcli uses to connect to Console (required) (default: "https://127.0.0.1:8083")
  • exit-on-error: Immediately exits scan if an error is encountered (not supported with --containerized)
  • password value, -p value: Password for authenticating with Prisma Cloud Console. For Prisma Cloud Enterprise Edition, specify the secret key associated with the access key ID passed to --user [$TWISTLOCK_PASSWORD]
  • project value: Target project
  • tlscacert value: Path to Prisma Cloud CA certificate file
  • token value: Token for authenticating with Prisma Cloud Console
  • user value, -u value: User for authenticating with Prisma Cloud Console. For Prisma Cloud Enterprise Edition, specify an access key ID (default: "admin") [$TWISTLOCK_USER]

Upload API definition file

To import an API definition file, follow the steps below:
  1. Open the Console, and go to
    Monitor > WAAS > API definition scan
    .
  2. Upload
    an API definition scan file.
    The following screenshot shows the API definition scan files:
    You can also filter the API definition files by using the scan date, import source, or file name.

View API definition scan report details

  1. Open the Console, and go to go to
    Monitor > WAAS > API definition scan
    .
    API definition scan reports are available along with the description of the file source such as twistcli scan, upload to the console, or WAAS app (where the file was imported).
  2. In the
    Actions
    column, click
    View
    .
    The following screenshot shows the severity of issues and their related categories:
  3. To view detailed information such as reference to the file, issue link, and so on for a specific issue, click on an issue under the
    Findings
    column.
    The following screenshot shows a preview of various locations and details in the Openapi spec file for a selected issue:

Recommended For You