Skip to main content

Azure API management

This feature is available with Invicti API Security Standalone or Bundle.

Integrating Azure API Management with Invicti Platform allows you to fetch Swagger2 and OpenAPI3 specification files from Azure API Management and provide them as inputs to DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

Prerequisites

To integrate Azure API Management with Invicti Platform, you need a Microsoft Azure account with the right to set up credentials/permissions.

Before setting up the Azure API Management integration in Invicti, you need to register Invicti as an app in Microsoft Azure and add permissions and secrets. Follow the steps below in each section to prepare your Azure app for integration with Invicti.

tip

Only Swagger2 and OpenAPI3 specification files are imported.

Step 1: Register your Invicti app in Azure API management

  1. In Microsoft Azure, select App registrations.
Select API sources interface
  1. Select New registration.
Select API sources interface
  1. Enter a name for the app and set who can see this app or access this API in the Supported account types section.
Select API sources interface
  1. Select Register to complete the registration.

You have now registered your app. The next step is to add it as a member and assign a role.

Step 2: Add your app as a member and assign a role

  1. After app registration is completed, go to the home page and select API Management services.
API management services
  1. Select one item from the list of API Management services.
API management services
  1. In the new window, select Access control (IAM).
API management services
  1. Select the Role assignments tab.
API management services
  1. Use the Add button to add a new role assignment.
API management services
  1. In the Members tab, click Select members.
API management services
  1. Search for the app you created earlier, click on it to select it, then click Select at the bottom of the page.
API management services
  1. On the Role tab, use the search field to search for API Management Service Reader Role Read-only access to service and APIs.
API management services
  1. Select the Job function role of API Management Service Reader Role/Read-only access to service and APIs, and click Review + assign.
Review and assign role
  1. You are taken to the Review + assign tab, click the Review + assign button.

The app has been added to your API Management Service. Continue with the steps in the next section to set permissions.

Step 3: Add permissions

  1. Return to the home page and select App registrations. Click the All apps tab, then select the app you created earlier.
Review and assign role
  1. Select Manage > API permissions from the left-side menu.
Manage API permissions
  1. Click Add a permission and select Azure Service Management.
Request API permissions
  1. Under Permissions, select the user_impersonation checkbox, then click Add permissions.
Request API permissions

After adding the permissions, you need to create a secret for the app to prove its identity. Continue with the steps listed in the following section.

Step 4: Add a client secret

  1. Staying within the same app you created earlier (App registrations > All apps > click on your app), select Manage > Certificates & secrets from the left-side menu.
Manage certificates
  1. Select New client secret.
New client secret
  1. Enter a description and expiry date, then click Add.
Add a new client secret
  1. Use the copy buttons to copy both the Value and the Secret ID of the client secret. Paste the information in a location where you can access them later as you need them in step 5 when configuring the import source in Invicti. Copying this information now is important, as it can only be viewed at this step.
Copy the client secret
tip

The App (client) ID and Directory (tenant) ID can later be found under App registrations > All apps tab > select your app > Overview.

Select your app overview

You now have the necessary information to set up the API integration in Invicti. Continue with the instructions in the next section.

Step 5: Configure the API import source in Invicti Platform

  1. Select Discovery > Configuration from the left-side menu.
  2. Further down, select API sources.
  3. Click Add source.
  4. Leave the Import type as External platform.
  5. Enter a name for the source configuration. This helps you identify it later in your list of API sources.
  6. The Client Id, Client Secret, and Tenant Id can be found in Azure Service Management in App registrations > Overview.
App registration overview
  1. Click Authenticate and Save.

Your Azure API Management integration is now displayed on the APIs > Sources page.

Step 6: Synchronize the API import

  1. On the APIs > Sources page in Invicti, click the sync icon to start importing your API specification files from Azure API Management into your Invicti API Inventory.
Sync the source
  1. When the sync is complete, your API specification files are displayed on the API Inventory page in Invicti. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Link and unlink discovered APIs to targets.

Azure is now integrated with Invicti Platform. After the initial synchronization, the integration automatically syncs your API specifications once every 24 hours.

tip

To synchronize API specifications on demand, click the sync icon on the Discovery > Configuration > API sources page. To turn off automatic synchronization, click the toggle in the Sync Automatically column.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?