API catalog overview

This document is for Invicti Platform

Feature availability

This feature is available with Invicti API Security Standalone or Bundle

Located under Inventory, the API catalog is the area within Invicti Platform Inventory that contains all your discovered and imported APIs. It is a list of all the API endpoints that can be scanned for vulnerabilities by linking the API specification files to an existing or newly created targets.

This document provides an overview of the API catalog in Invicti Platform.

Access requirements

Access to API Security in Invicti Platform requires either an Administrator, Owner, Security Analyst, Security Manager role, or a custom role with the API Security permission.

Features and actions

Below are listed and described the features that are available on the API catalog overview page.

API catalog table columns

The API catalog table displays the following information for each API:

API: The name/URL of each API.
Source: How the API was discovered or imported (for example, via an integration, Invicti NTA, or zero-config crawling).
Target: Whether the API is linked to a target for scanning capability.
Vulnerabilities: The overall vulnerability count for the API (after it has been scanned) grouped by vulnerability severity.
Last scanned: The date and time that the API was last scanned by Invicti.

API catalog main page showing discovered APIs and their details

Each row in the API catalog includes a three-dots (⋮) menu on the right. Selecting this menu opens additional actions you can perform on the selected API entry:

Link / Unlink target—Associate or disassociate the API definition with a specific scan target.
Edit—Modify the API's metadata such as name or description.
Hide API—Remove the API from the visible catalog without deleting it.
Delete API—Permanently remove the API from the catalog.
Scan Target—Initiate a vulnerability scan on the associated target. Clicking on the target name takes you to the Scan configure target.
Add / Edit authorization—Configure or update authentication settings required to scan the API securely.

API endpoints

Each API listed in your API catalog can be expanded to show the individual endpoints it contains and their vulnerability count.

Operation: The HTTP method and path for the endpoint (for example, GET /api/administrator/products).
Vulnerabilities: The vulnerability count for each API endpoint (after it has been scanned), grouped by vulnerability severity. This provides quick insight into potential security risks for each endpoint. Endpoints with no detected vulnerabilities display No vulnerabilities.
The three-dots (⋮) menu on the right gives the option to exclude from scan.

Expanded API showing individual endpoints with HTTP methods, paths, and vulnerability counts

Bulk actions

Bulk actions allow you to manage multiple APIs at once. To use them, select one or more API using the checkboxes in the table, then choose an action from the Bulk Actions menu.

Expanded bulk options on the API catalog page

Available bulk actions include:

Delete APIs—Permanently delete the selected API. This action cannot be undone.

View options

Click the View options menu to select or deselect table columns. This helps customize your view by showing only the information relevant to you.

You can also show / hide hidden APIs.

Search and filtering

You can refine the applications table using the Add Filter button or locate specific applications using the search icon (magnifying glass) in the top left.

Search

The search field performs a keyword search across API names, helping you quickly locate a specific application.

Filtering

Click Add a filter to narrow down the list of APIs based on specific criteria such as:

Source
Scan date
Remote target

info

For more information on advanced filtering options, please refer to the Filtering document.

API details drawer

Click on any API in the catalog to open a detailed drawer view that provides comprehensive information about the API and its security posture.

API catalog main page showing discovered APIs and the detail drawer

Basic API information

The drawer displays the following general information about the API:

API type: The type of API (REST, GraphQL, SOAP, gRPC, etc.)
Authorization: Whether authentication is required and if it has been configured
Operations count: The total number of operations (endpoints) included in the API
Location: The host where the API is deployed
Base URL: The root URL for the API
Tags: Labels applied to the API for organization and filtering
Comments: A section where you can add annotations and notes about the API

Security information

The drawer also provides security insights to help you quickly assess the API's security posture:

Last scan: The date and time of the most recent scan, including whether authorization was used during the scan
Newly discovered operations: Recently found API operations that were not present in previous scans
Posture gaps: A list of identified vulnerabilities and security gaps found during scanning
Shadow APIs: Operations that were discovered but were not documented in the original API specification

Quick actions

From the API details drawer, you can:

Run a scan: Initiate a vulnerability scan directly from the drawer
Edit details: Modify API information, tags, or comments
Export reports and export to file: Export files directly from the drawer

This comprehensive view allows you to assess an API's security status without navigating to multiple pages or diving into detailed scan results.

Need help?

The Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Features and actions​

API catalog table columns​

API endpoints​

Bulk actions​

View options​

Search and filtering​

Search​

Filtering​

API details drawer​

Basic API information​

Security information​

Quick actions​

Need help?​