Configuring API Content and Filters

When configuring API scans, you can use the Content and Filters page to configure the preferred content type, as well as operations and parameter names and types to include or exclude during the scan.

Specifying the Preferred Content Type

The preferred content type setting specifies the preferred content type of the request payload. If the preferred content type is in the list of supported content types for an operation, then the generated request payload will be of that type. Otherwise, the first content type listed in an operation will be used. By default, the preferred content type is application/json.

To change the preferred type:

Defining Specific Operations to Include

The Include feature defines an allow list of operation IDs that should be included in the output.

To define a specific operation to include:

  1. Select Specific Operations.

  2. Select Include.

  3. Click the add icon ().

  4. In the Operation to add box, type the operation ID.

  5. Click the check icon ().

    The operation ID is added to the allow list.

Defining Specific Operations to Exclude

The Exclude feature defines a deny list of operation IDs that should be excluded from the output.

To define a specific operation to exclude:

  1. Select Specific Operations.

  2. Select Exclude.

  3. Click the add icon ().

  4. In the Operation to add box, type the operation ID.

  5. Click the check icon ().

    The operation ID is added to the deny list.

Editing Specific Operations

To edit a specific operation in the allow or deny list:

  1. Do one of the following:

    • To edit an operation in the allow list, select Include.

    • To edit an operation in the deny list, select Exclude.

  2. Click the edit icon () for the operation ID you want to edit.

Removing Specific Operations

To remove a specific operation from the allow or deny list:

  1. Do one of the following:

    • To remove an operation from the allow list, select Include.

    • To remove an operation from the deny list, select Exclude.

  2. Click the delete icon () for the operation ID you want to remove.

Defining Parameter Rules

Parameter rules define a default value to use for a parameter when the parameter name and type are encountered. You can also specify operations to determine whether a specific parameter rule should or should not apply to those operations.

Important! If you configure a parameter rule and then change the API definition type for which the parameter rule type becomes invalid, the invalid parameter rule type will be changed to Any. The invalid parameter rule will be highlighted in the Parameter Rules list, and a warning message will be displayed below the list.

To add a parameter rule:

  1. Select Parameter Rules.

  2. Click Add.

    The PARAMETER RULE dialog box appears.

  3. In the Parameter Rule Name box, type a name for the rule.

  4. In the Parameter Rule Type list, select a type. Available options depend on the API type and may include the following:

    • Any

    • Boolean

    • Date

    • File

    • Guid

    • Number

    • String

    For more information on the Parameter Rule Types and their equivalents based on API type, see Understanding Parameter Type Matches.

  5. Continue according to the following table:

    For this Rule Type... Do this...
    Any In the Value box, type any value.
    Boolean In the Boolean Value list, select true or false.
    Date

    To enter any string value as the date:

    • Type the string in the Date box.

      Note: You may enter a duration, time span, formatted date, or formatted time in the Date box.

    To select a date/time format and use a calendar and clock to generate a formatted string:

    1. Click GENERATE DATE.

      The GENERATE DATE STRING dialog box opens.

    2. From the Date Type list, select a format. Options are Date and time, Date, and Time.

    3. In the Date box, enter a date using the preferred format defined in your Fortify Software Security Center.

      Tip: To select a date from the calendar, click the calendar icon ().

    4. In the Time box, enter a time using the preferred format defined in your Fortify Software Security Center.

      Tip: To select a date from the calendar, click the clock icon ().

    5. Click OK.
    File

    1. Click IMPORT and browse to locate the file to add to the scan settings.

    2. Click Open.

    Guid In the Value box, enter a GUID.
    Number In the Number Value box, enter a numerical value.
    String In the Value box, type any value.

  6. For Open API scans, in the Parameter Rule Location list, select a location where the parameter is found in the request. Options are:

    • Any

    • Body

    • Header

    • Path

    • Query

  7. Optionally, select Inject Parameter to include the defined parameter in the request.

    Important! The Inject Parameter option does not work with schema-based APIs, such as SOAP, gRPC, and Postman. Those API types do not accept forced parameters. For GraphQL, Inject Parameter only works with the query operation if the property is in the query schema.

  8. Optionally, to specify operations to which this parameter rule should or should not apply, select Specific Operations and perform steps 2-5 of Defining Specific Operations to Include or Defining Specific Operations to Exclude.

  9. Click OK.

    The rule is added to the Parameter Rules list.

Editing a Parameter Rule

To edit a rule in the Parameter Rules list:

Removing a Parameter Rule

To remove a rule from the Parameter Rules list: