Service now Integration for DAST Scans
We are trying to automate the scan progress by integrating the SSC & WebInpsect with Service now.
1) Developers raise a ticket in service now with the application information.
2) We check the if the URL is live, then move to SSC
3) Adding the project in the console and start the scan
4) Once the scan is completed, do the triage
5) Generate the report, mail it to the developer
We would like to automate the process of scheduling scans and reporting phase so that we can focus more on the triaging. Please let me know what are the API's I should be using, where I can find the document for it. If anybody has previous experience in automating DAST using service now or any similar system let us know. It would be really helpful.
SSC comes with an extensive REST API. The API documentation can be found by clicking the help/question mark button on the top right in SSC, and then following the link to the API documentation.
The API reference lists the various endpoints that you can use for automation, however for POST/PUT operations this reference may be insufficient to understand exactly what data to send, or in what order the various endpoints need to be called. For example, creating an application version requires multiple REST calls.
We provide some samples in the ssc-js-sandbox project that can be found at https://github.com/fortify. I have also developed my own Java API that covers a small subset of the SSC REST API; see https://github.com/rsenden/fortify-client-api-master. This API only covers a small subset of the SSC REST API, and is mostly meant for use by the various integrations that I have developed, but you may be able to re-use some of the functionality.
If you simply want to automate specific tasks in SSC, the easiest approach though is to simply perform those tasks manually through the SSC user interface, and then look at the REST requests made by the user interface. For example:
- In SSC, open the 'Create Application Version' wizard
- Fill in all the relevant details on the various wizard pages
- Before clicking the 'Finish' button on the final page, open Chrome/Firefox developer tools
- Select the networking tab in the developer tools, and make sure network monitoring is started
- Click the 'Finish' button in SSC, and find the relevant REST requests in the developer tools
For the DAST portion, there are different options outside of SSC Server. For Fortify DAST, SSC is largely used as a results repository and management system and not for directing the scans themselves. This may change in the future, but is not currently an option in SSC.
I posted a lot of options and details over at this other forum post: https://community.microfocus.com/t5/Fortify-User-Discussions/How-to-initiate-WebInspect-scan-from-fortify-SSC/td-p/2762946
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify