CI/CD Integration for API Scanning
This article describes how to start a scan against a specific API using Data Theorem’s API.
This can for example be used as part of a CI/CD pipeline in order to start API scans after deploying a new version of the API.
Starting a scan against a RESTful API
Data Theorem’s API can be used to start a scan against a specific RESTful API:
Retrieve an API Key that has the permission to start API Secure scans; API keys are available in the Data Theorem portal at https://pr-1593.demotheorem.com/mobile/sdlc/results_api_access .
Retrieve the RESTful API’s ID from the API’s page in the Data Theorem portal:
An API scan can then started using the following CURL command:
curl -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans \ -H "Content-Type: application/json" \ -d '{"asset_id":"89ad145e-8242-41a4-93c1-5fc2c633b49d", \ "asset_base_url":"https://orderfood.google.com"}' \ -H "Authorization: APIKey ABCD123456="
Once completed, the results of the scan will be visible in the Data Theorem portal in the RESTful API’s asset page.
Additional options for RESTful API scans
Optionally, the following configuration settings can be specified within the
should_perform_pii_analysis
: If set to True, the API responses received by the scanner will be analyzed for PII data (Hack&Extract).should_perform_sql_injection_scan
: If set to True, the API’s parameters will be scanned for SQL injection issues (Detect&Inject).Warning: this type of scan requires sending a lot of requests to the API, will significantly increase the load on the API, and could potentially disrupt it.
For example, the following CURL command will enable PII scanning:
curl -v -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans \ -H "Content-Type: application/json" \ -d '{"asset_id":"89ad145e-8242-41a4-93c1-5fc2c633b49d", \ "asset_base_url":"https://orderfood.google.com", \ "restful_api_scan_config":{"should_perform_pii_analysis": true}}' \ -H "Authorization: APIKey ABCD123456="
Starting a scan against a GraphQL API
Similarly to RESTful APIs, Data Theorem’s API can be used to start a scan against a specific GraphQL API:
Retrieve an API Key that has the permission to start API Secure scans; API keys are available in the Data Theorem portal at https://pr-1593.demotheorem.com/mobile/sdlc/results_api_access .
Retrieve the GraphQL API’s ID from the API’s page in the Data Theorem portal:
An API scan can then started using the following CURL command:
curl -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/graphql_api_scans \ -H "Content-Type: application/json" \ -d '{"asset_id":"c94aa607-0cd0-46cb-8472-4a24b34e1b70", \ "asset_base_url":"https://graphql-test-api-sc.uc.r.appspot.com/"}' \ -H "Authorization: APIKey ABCD123456="
Once completed, the results of the scan will be visible in the Data Theorem portal in the GraphQL API’s asset page.
Integrating into a CI/CD pipeline
GitHub Actions
For APIs with their code repository hosted on GitHub, a GitHub Actions workflow can be configured. The workflow will trigger an API scan every time the repository is tagged with a new version.
To setup this workflow:
Create a new secret containing your API key (called
DATATHEOREM_API_KEY
in the below example).Create a new workflow by creating a file at
.github/workflows/datatheorem.yaml
with the following content:
name: Data Theorem API Secure Restful API Scans on: push: tags: - '*' jobs: datatheorem-apisecure-restful-api-scan: runs-on: ubuntu-latest steps: - env: ASSET_ID: 89ad145e-8242-41a4-93c1-5fc2c633b49d ASSET_BASE_URL: https://orderfood.google.com DATATHEOREM_API_KEY: ${{ secrets.DATATHEOREM_API_KEY }} run: | curl -s -X POST https://api.securetheorem.com/apis/devops/v1/asset_scans/restful_api_scans \ -H "Content-Type: application/json" \ -d "{\"asset_id\":\"$ASSET_ID\", \"asset_base_url\":\"$ASSET_BASE_URL\"}" \ -H "Authorization: APIKey $DATATHEOREM_API_KEY"