Scanning API Endpoints

To scan API endpoints using a predefined schema, follow these steps:

  1. In the Attack surface discovery section, select Via API schema (for API endpoints) to use either an Open API specification (Swagger) or a Postman collection: *.yml / *.yaml / *.json.



Bright supports the following versions of the API schemas: Swagger 2+, OpenAPI 3+, Postman 2+. To ensure proper scanning of an API, you must configure the schema according to the general specification and specific Bright requirements. Find more information about the configuration validation here.

  1. Select a schema file for the scan. You can either upload the file from a disk or use a pre-uploaded file from the Bright storage. You can also import a schema from a cloud by specifying the relative URL.

Once you upload the schema file, you can open it in the Schema Editor (Linter). Use this option to validate and edit the uploaded schema before running a scan. Some schema files may contain configuration errors that block scanning. To learn how to identify the files with configuration errors, see Configuring an API Schema.



Some hosts specified in the uploaded schema may be unreachable or unauthorized for direct scanning from the cloud. In this case, you may need to connect the local Repeater for the scan or change the hosts in the schema using the Schema editor functionality.




When using a pre-uploaded file, make sure this user has an access to the project and appropriate permissions to operate with it. For more, see Managing Organization Users.