Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

API types and specification formats

Understanding which API formats Invicti AppSec Core supports helps you plan your security coverage and onboard the right APIs for scanning. This document provides information about the API types and specification formats that Invicti AppSec Core can discover and scan. The API discovery and API scanning sections cover different format sets, so read both to understand your full coverage.

Why this matters

Knowing which API types and specification formats Invicti AppSec Core supports helps you assess your coverage and plan your API security strategy. If your APIs use formats outside the supported list, you know to prioritize updating or supplementing them before onboarding them for scanning. If you have APIs in formats that aren't supported, contact Invicti Support to discuss your options.

API discovery

You can discover the following API types and specification formats:

  • REST APIs: OpenAPI3 and Swagger2 (the Mulesoft Anypoint Exchange integration can also discover RAML files)

After discovering your OpenAPI3 and Swagger2 specification files, you can link them to existing or new targets in Invicti AppSec, and Invicti AppSec scans them for vulnerabilities the next time it scans the linked target. For more information about API discovery and how it works, refer to Introduction to API discovery.

API scanning

You can scan the following API types and specification formats:

  • REST APIs: OpenAPI3, Swagger2, RAML, WADL, and Postman collection
  • SOAP: WSDL
  • GraphQL: .graphql, .json
  • LLM-powered APIs: Specialized testing for AI chatbots and virtual assistants (refer to LLM-based app vulnerability testing)

To scan any of these API files for vulnerabilities, upload the file to the associated target, or if the file has a hosted URL, link that URL to the target. For information on how to do this, refer to Add paths via import files/API definitions.

info

Development work on Invicti AppSec Core is ongoing to increase the API discovery and scanning capabilities with more API types and specification formats.

Troubleshooting

Spec file not detected during discovery

If a specification file isn't picked up during API discovery, verify it matches a supported format and version (OpenAPI3 or Swagger2). Files in other formats aren't reconstructed or imported automatically.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?