IAST using the REST API

You can configure and start an IAST scan, including agent deployment, through the REST API.

Before you begin

For general information about the ASoC REST API, see REST API
See also the following resources on Swagger:

Procedure

  1. Get an API Key.
  2. Get the ID for the application in which you want to run the scan by doing one of the following:
    • In the user interface, open the tab for the specific application, and look at the URL. The last section before the word "scans" is the ID. For example, in this case:
      cloud.appscan.com/AsoCUI/serviceui/main/myapps/app01/123456a-78b-90c-123ab4c/scans
      the Application ID is: 123456a-78b-90c-123ab4c
    • Alternatively, you can get a list of all application IDs for your User (API key) through the REST API GetApps endpoint:
      request URL:
         GET https://cloud.appscan.com/api/V2/Apps
      headers:
        "Authorization=Bearer <api key>"
      Parameters:
        “$select=Id"
  3. Create an IAST scan using the CreateIastAnalyzerScan endpoint:
    request URL:
      POST https://cloud.appscan.com/api/V2/Scans/IASTAnalyzer
    headers:
      " Authorization=Bearer <token>, Accept: application/json, Content-Type: application/json"
    Json: {
          "ConnLostStopTimer": true, 
          "ScanName": <scanName>, 
          "EnableMailNotification": true, 
          "Locale": "en-US", 
          "AppId": <appId>, 
          "Personal": false
          }
    The body is input parameter scanModel, a json structure with the following fields:
    • ScanName is the name you give the scan
    • AppId (see previous step)
    • ConnLostStopTimer is an optional timeout (in minutes) to stop the scan if the agent connection is lost. If left empty the scan will continue even if the agent connection is lost and there is therefore nothing to report. A possible use case for this would be to prevent the license being taken by another user in the meantime.
    • Personal should be set to false unless you want to run the scan as a personal scan.
    The response body includes ScanId. Save this to use in the next step.
  4. Download an agent, pre-configured to report issues to the scan created in the previous step. Do this using the Tools/DownloadWithKey endpoint.
    request URL:
      GET https://cloud.appscan.com/api/V2/Tools/IAST/DownloadWithKey?scanId=<scan_id>
    headers:
      "Authorization=Bearer <api key>, Accept: application/zip"
    scan_id is the ID saved at the end of the previous step.
  5. Deploy the IAST agent on your application server.
    The agent is now monitoring traffic to the application, and will report to ASoC on vulnerabilities it detects.
  6. Send traffic to the application for IAST to monitor. This can be your regular system tests or a DAST scan.
    Issues discovered will now be recorded in the IAST scan.