Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CI/CD Integration for API Scanning

This article describes how to start a scan against a specific API using Data Theorem’s API.

...

Data Theorem’s API can be used to start a scan against a specific RESTful API:

  1. Retrieve an API Key that has the permission to start API Secure scans; API keys are available in the Data Theorem portal at https://

...

  1. www.

...

  1. securetheorem.com/

...

  1. devsecops/

...

  1. v2/scancicd.

  2. Retrieve the RESTful API’s ID from the API’s page in the Data Theorem portal:

    Image Modified

  3. An API scan can then started using the following CURL command:

    Code Block
    curl -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans \
    -H "Content-Type: application/json" \
    -d '{"asset_id":"89ad145e-8242-41a4-93c1-5fc2c633b49d", \
    "asset_base_url":"https://orderfood.google.com"}' \
    -H "Authorization: APIKey ABCD123456="

    The response will contain information about the scan in the following format:

    Code Block
    {
      "id":"06bd22cb-ad9b-48d3-8158-4b3cd6142db6",
      "asset_id":"89ad145e-8242-41a4-93c1-5fc2c633b49d",
      "asset_base_url":"https://orderfood.google.com",
      "asset_type":"RESTFUL_API",
      "status":"ONGOING",
      "failed_reason":null
    }

  4. (Optional) Using the ID of the scan that was returned in the previous call, the following CURL command can be used to check the status of the scan:

    Code Block
    curl -X GET 'https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans/06bd22cb-ad9b-48d3-8158-4b3cd6142db6 \
    -H "Authorization: APIKey ABCD123456="


    Once completed, the results of the scan will be visible in the Data Theorem portal in the RESTful API’s asset page.

Additional options for RESTful API scans

...

Similarly to RESTful APIs, Data Theorem’s API can be used to start a scan against a specific GraphQL API:

  1. Retrieve an API Key that has the permission to start API Secure scans; API keys are available in the Data Theorem portal at https://

...

  1. www.

...

  1. securetheorem.com/

...

  1. devsecops/

...

  1. v2/scancicd.

  2. Retrieve the GraphQL API’s ID from the API’s page in the Data Theorem portal:

    Image Modified

  3. An API scan can then started using the following CURL command:

    Code Block
    curl -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/graphql_api_scans \
    -H "Content-Type: application/json" \
    -d '{"asset_id":"c94aa607-0cd0-46cb-8472-4a24b34e1b70", \
    "asset_base_url":"https://graphql-test-api-sc.uc.r.appspot.com/"}' \
    -H "Authorization: APIKey ABCD123456="


    Once completed, the results of the scan will be visible in the Data Theorem portal in the GraphQL API’s asset page.

Starting a scan against all assets in an Asset Group

In addition Data Theorem’s API can also be used to start a scan against all API-type assets that are currently supported by the integration in a specified asset group:

  1. Retrieve an API Key that has the permission to start API Secure scans; API keys are available in the Data Theorem portal at https://www.securetheorem.com/devsecops/v2/scancicd.

  2. Retrieve the Asset Group’s ID from the API’s page in the Data Theorem portal:

    Image Added

  3. An API scan can then started using the following CURL command:

    Code Block
    curl -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/asset_group_scans \
    -H "Content-Type: application/json" \
    -d '{"asset_group_id":"e642b346-2589-4eea-bcda-cbf4c72723c9"}' \
    -H "Authorization: APIKey ABCD123456="


    One scan per supported asset in the asset group will be created, and once completed, the results of the individual scans will be visible in the Data Theorem portal on the API’s asset pages.

Integrating into a CI/CD pipeline

GitHub

...

Action

A Github Action for API scanning is available at https://github.com/marketplace/actions/data-theorem-api-secure.

Other CI/CD platforms

Most CI/CD platforms (Travis CI, CircleCI, etc.) allow running a bash script as a step within the CI pipeline.

The following file is an example of a GitHub workflow that will trigger an API scan every time the repository is tagged with a new version. A similar workflow can be configured on other CI/CD platforms.

To setup this the workflow:

  1. Create a new secret containing your API key (called DATATHEOREM_API_KEY in the below example).

  2. Create a new workflow by creating a file at .github/workflows/datatheorem.yaml with the following content:

Code Block
languageyaml
name: Data Theorem API Secure Restful API Scans
on:
  push:
    tags:
       - '*'
jobs:
  datatheorem-apisecure-restful-api-scan:
    runs-on: ubuntu-latest
    steps:
      - env:
          ASSET_ID: 89ad145e-8242-41a4-93c1-5fc2c633b49d
          ASSET_BASE_URL: https://orderfood.google.com
          DATATHEOREM_API_KEY: ${{ secrets.DATATHEOREM_API_KEY }}
        run: |
          curl -s -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans \
               -H "Content-Type: application/json" \
               -d "{\"asset_id\":\"$ASSET_ID\", \"asset_base_url\":\"$ASSET_BASE_URL\"}" \
               -H "Authorization: APIKey $DATATHEOREM_API_KEY"

...