Skip to main content

Kong Konnect

This document is for Invicti Platform

This feature is available with Invicti API Security Standalone or Bundle.

Integrating Kong Konnect with Invicti Platform allows you to fetch Swagger2 and OpenAPI3 specification files from Kong Konnect and provide them as inputs to DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

This document explains how to set up an integration between Kong Konnect and Invicti Platform.

Prerequisite

  • A Kong Konnect account that contains your API specification files published through the API Products Dashboard.

Before configuring the integration in Invicti, you need to generate a personal access token in Kong Konnect that is used to authorize the retrieval of your API specification files. Follow the steps below in all sections to integrate Invicti Platform with Kong Konnect.

tip

Only Swagger2 and OpenAPI3 specification files are imported.

Step 1: Generate a personal access token

  1. In Kong Konnect, click the profile icon in the top-right corner, then select Personal access tokens.
Profile icon dropdown menu with Personal access tokens option highlighted
  1. Click + Generate Token.
Personal access tokens page with Generate Token button
  1. Enter a Name for the token and set an Expiration period, then click Generate.
Generate token form with Name and Expiration fields
  1. Click Copy.
Generated token display with Copy button to save the token

You now have the necessary information to configure the integration in Invicti. Continue with the steps in the next section below.

Step 2: Configure Invicti

  1. Select Discovery > Configuration from the left-side menu.
  2. Scroll down and select API sources.
  3. Click Add source.
API sources page with the Add source button selected
  1. Leave the Import type as External platform.
  2. Enter a name for the source configuration. This helps you identify it later in your list of API sources.
  3. Select Kong Konnect as the Source type.
  4. Select the Region that corresponds with the region used for your Kong Konnect account. (This is visible in the bottom-left corner of the Kong Konnect user interface after selecting API Products.)
  5. Paste your Personal Access Token into the corresponding field.
Screen with Region drop-down field and pasted token
  1. Click Authenticate and Save.

An Authorization successful message displays and the integration appears on the Discovery > Configuration > API sources page in Invicti. Continue with the final step below to synchronize the API import.

Step 3: Synchronize the API import

  1. On the APIs > Sources page in Invicti, click the sync icon to start importing your API specification files from Kong Konnect into your Invicti API Inventory.
API sources page with sync icon and automatic sync toggle
  1. When the sync is complete, your API specification files are displayed on the API Inventory page in Invicti. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.

Kong Konnect is now integrated with Invicti. After the initial synchronization, the integration automatically syncs your API specifications once every 24 hours.

tip

To synchronize API specifications on demand, click the sync icon on the Discovery > Configuration > API sources page. To turn off automatic synchronization, click the toggle in the Sync Automatically column.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?