Skip to main content

Running a Scan


Initiating a scan is possible only within an existing project.

There are four options to scan a source file:

  • Scan a source file from a repository URL.

  • Scan a source file from a zipped file.

  • Scan an existing project (repository URL/zipped file).

  • Scan a standalone Swagger file to validate that the API documentation is complete and up-to-date.


The Scan API Documentation option is only available after first navigating to the Application and Projects page, clicking on the + New dropdown tab, and selecting New Project- Manual Scan.


To run a scan:

  1. On the Application and Projects page select the Projects tab (default).

  2. In the row of the project that you would like to scan, click Scans.png Scan.


    The New Scan window opens. By default, under Project Name, the project of the row in which you clicked Scans.png Scan is selected.



    If you would like to scan a different project, it is possible to select a different project from the drop-down menu.

  3. In the Source to Scan section, there are 2 scan options:

    1. Scan from a zipped file:

      • With the File option selected (default), click the Select File link.

      • Select the requested zip archive file.

    2. Scan a Repository URL:

      • Click the Repository button.

      • Enter the Repository URL.

      • Click the Fetch Branches button.

    3. Type your Personal Access Token and click Login

      For example:

    4. In case the Token is incorrect, an error will be presented while trying to connect.

      For example:

  4. Under Scan Tags, add a tag to the new scan (optional).

    Tags can be added in two different formats:

    Label: <string>

    key:value: <key string:value string>

  5. Select Completed.png Incremental Scan, if you want to only scan the latest changes and not the entire project. For additional information on Incremental scans, refer to Incremental Scans (SAST Scanner).

  6. Click Next. The New Scan dialog appears and you are asked to select the scanners.

  7. Select one or more scanners.

    If you select API Security, SAST is selected as well because API Security uses the SAST code to detect APIs.

    To scan both code and documentation, check the Scan API Documentation option and upload a Swagger file in ZIP format.

    If you are scanning API documentation only, you can exclude SAST queries from the scan. To do this, select SAST and API Security in the Select Scanners section, check the Scan API Documentation option, upload a Swagger file in ZIP format, and then deselect SAST in the Select Scanners section.

  8. Click Scan. The New Scan dialog box closes and the scan starts.

  9. You can monitor the scan's status in the Projects tab.

  10. After the scan is completed, you can view the results of the project on a side pane by clicking within the project row.

  11. Scroll down to view your API Security results.


    Selecting Overview redirects you to the scan Overview page.


    Selecting Results redirects you to the Risks results page.



  • Only API Security and SAST support incremental scans. If you select additional scanners for an Incremental Scan, a full scan is performed instead.

  • API Security currently supports Python Flask, Java - Spring, and C# - ASP.NET Web API .