Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

Configure target scan inputs

Focus DAST scans on the assets that matter by supplying API specifications and supporting files for each target. This document explains how to upload scan inputs on the target's Scan configuration tab and how to restrict scans to those imported sources.

To open the page: select Inventory > Targets from the left-side menu, click the target name, then select Scan configuration.

Why this matters

Without input files, scanners rely only on crawler discovery and can miss API-only paths or hidden routes. Importing specifications and files gives the scanner explicit paths to test. Restricting scans to imported sources helps you keep testing tightly scoped when broad crawling isn't allowed.

Add API specifications for explicit API coverage

In the No API specifications imported section, add one or more API specs:

  • Click Upload specification to upload a local API description file.
  • Click Link from URL to import an API specification from a hosted URL.

After import, the list in this section shows the specifications associated with the target.

Add project files to improve path discovery

In the No files added section, click Upload file and add files that help define application structure and routes.

Use this when your application has paths that aren't easily discoverable through crawling alone.

Keep scans limited to imported sources when needed

Use Restrict scans to imported files and API specifications when your policy requires controlled scope.

  • Set Yes when scans must stay within uploaded files and imported API specs.
  • Set No when you want the scanner to use imported inputs and broader crawling together.

Click Save target configuration to apply changes.

Troubleshooting

My imported specification doesn't appear in the list

Refresh the page and check whether the import completed successfully. If the file is malformed or unreachable from the provided URL, the list doesn't update. Re-upload the file or verify the URL and try again.

The scanner still tests paths outside my uploaded inputs

Confirm Restrict scans to imported files and API specifications is set to Yes and saved. If it already is, verify the extra paths aren't explicitly included by your imported specification content.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?