I am glad that Qualys support s the scanning of rest API through simplified swagger file. However, the instructions looks simple from the announcement, "Simply configure the URL of the web application in WAS to be the Swagger file, configure authentication (if required), and launch a vulnerability scan.Simply configure the URL of the web application in WAS to be the Swagger file", I cannot figure how to configure url with the swagger file. I looked at the version from the portal, it is version 6.0.0 which is the right version with this capability from the recent announcement. Please help on this, Thanks
Hi Eric,
The web application URL in WAS needs to point to the Swagger file. When the scan starts, it will recognize that a Swagger file is at that URL and the scanner will begin to parse the file. The Swagger file can be hosted on the same server where the APIs are running or it can be hosted somewhere else. The important thing is that both the Swagger file and the API endpoints should be included in the crawl scope of the scan.
-Dave