Are there any API’s that can be used to invoke a dynamic scan for both Fortify and WebInspect?

This is regarding fully automated DevOps pipeline where in on the fly environment is provisioned on AWS cloud( EC2 instances for all app tiers), code compiled, binaries deployed.

Jenkins will be triggered externally to initiate this pipeline. Basic philosophy as a part of client requirement is zero manual touch and everything fully automated.

We have web apps and source code to conduct security testing by using HP Fortify and WebInspect. My query is "do we have any APIs available to invoke a dynamic scan for both Fortify and WebInspect".

  • Yes and no.

    Most automation options for Fortify SCA involve its CLI, sourceanalyzer.exe, but it does not offer an API.  The SSC Server does have a Swagger-based REST API, but that is not used to run scans so much as to work with the finished scans.  There are also CLI utilities for uploading scans to SSC, Failing Builds, et al.  Fortify CloudScan is an additional product we offer which supports automated scanning with SCA, but it is not an API.

    For WebInspect, there is both a CLI and Swagger-based REST API.  Once you turn on the API service, full documentation can be found at localhost:8083/.../api, unless you configure its differently.  The interface also permits you to design and send API requests directly, without requiring secondary tools.  Most of the activities in the WebInspect API offer the ability to manage a Web Proxy listener (spawn, record Workflow Macro, save), run scans (Default Settings, saved setting file, discrete setting overrides), or interacting with WebInspect Enterprise.

    Different from WebInspect desktop, WebInspect Enterprise also offers a Swagger-based REST API.  It does not offer quite the high degree of scan setting fine-tuning as the desktop application's API..  However, saved settings from WebInspect desktop (or defined using its API) can be uploaded to WIE and then used as Scan Templates to run scans via this WIE API.