Cadet 3rd Class
Cadet 3rd Class
5983 views

Are there any API’s that can be used to invoke a dynamic scan for both Fortify and WebInspect?

This is regarding fully automated DevOps pipeline where in on the fly environment is provisioned on AWS cloud( EC2 instances for all app tiers), code compiled, binaries deployed.

Jenkins will be triggered externally to initiate this pipeline. Basic philosophy as a part of client requirement is zero manual touch and everything fully automated.

We have web apps and source code to conduct security testing by using HP Fortify and WebInspect. My query is "do we have any APIs available to invoke a dynamic scan for both Fortify and WebInspect".

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Yes and no.

Most automation options for Fortify SCA involve its CLI, sourceanalyzer.exe, but it does not offer an API.  The SSC Server does have a Swagger-based REST API, but that is not used to run scans so much as to work with the finished scans.  There are also CLI utilities for uploading scans to SSC, Failing Builds, et al.  Fortify CloudScan is an additional product we offer which supports automated scanning with SCA, but it is not an API.

For WebInspect, there is both a CLI and Swagger-based REST API.  Once you turn on the API service, full documentation can be found at http://localhost:8083/webinspect/api, unless you configure its differently.  The interface also permits you to design and send API requests directly, without requiring secondary tools.  Most of the activities in the WebInspect API offer the ability to manage a Web Proxy listener (spawn, record Workflow Macro, save), run scans (Default Settings, saved setting file, discrete setting overrides), or interacting with WebInspect Enterprise.

Different from WebInspect desktop, WebInspect Enterprise also offers a Swagger-based REST API.  It does not offer quite the high degree of scan setting fine-tuning as the desktop application's API..  However, saved settings from WebInspect desktop (or defined using its API) can be uploaded to WIE and then used as Scan Templates to run scans via this WIE API.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.