Getting Started
This guide walks you through running your first scan with API Scanning. The entire process takes about 10 minutes.
Prerequisites
Before you begin, you need:
- A Detectify account with API Scanning enabled
- An API definition for your target (see supported formats below)
- Authentication credentials for your API (if applicable)
- Permission to scan the target API
Step 1: Prepare Your API Definition
REST APIs
Prepare your OpenAPI specification file. Supported formats:
| Format | Supported |
|---|---|
| OpenAPI v2 (Swagger) | Yes |
| OpenAPI v3.0 | Yes |
| OpenAPI v3.1 | Yes |
JSON format (.json) | Yes |
YAML format (.yaml, .yml) | Yes |
For the best scan coverage, your spec should:
- Define all endpoints you want tested. Only endpoints present in the spec are scanned.
- Include request body schemas with accurate data types.
- Specify parameter types (query, path, header, cookie) with correct formats and constraints.
- Document authentication schemes using the
securityDefinitions(v2) orsecuritySchemes(v3) section. - Use accurate example values where provided. The scanner may use examples as seed data for payload generation.
If you do not have an OpenAPI spec, many API frameworks can generate one automatically (for example, FastAPI, Spring Boot with Springdoc, or Express with swagger-jsdoc).
GraphQL APIs
Export your GraphQL schema definition file from your framework (for example, Apollo Server, graphql-java, Strawberry, or the graphql-codegen CLI). Supported file formats: .graphql, .gql, .json, and .txt.
Step 2: Create a Scan Profile
- Navigate to API Scanning in the Detectify dashboard.
- Click Create Scan Profile.
- Select your API type (REST or GraphQL).
- Upload your OpenAPI spec or GraphQL schema file.
- Detectify parses the definition. If there are parsing errors, you will see a summary of issues. See Troubleshooting for common parsing issues.
For GraphQL APIs, select which queries and mutations to include in the scan and provide sample values for their arguments.
Step 3: Test Operations
Test individual endpoints (REST) or queries and mutations (GraphQL) to verify that your configuration — server address, authentication, example values — produces working API calls. You can do this when creating or editing a scan profile.
Step 4: Configure Authentication
If your API requires authentication, configure it so the scanner can access protected endpoints. See Configuration for setup details.
Without valid authentication, the scanner can only test unauthenticated endpoints and will miss vulnerabilities in protected areas of your API.
Step 5: Run Your First Scan
- Review the scan configuration summary, which shows the number of endpoints detected and the authentication method configured.
- Click Start Scan.
- The scan begins sending payloads to your API endpoints. See Configuration for factors that affect scan duration.
You can monitor scan progress in the dashboard. Findings appear in real time as vulnerabilities are confirmed.
Step 6: Review Results
Once the scan completes, navigate to the Results tab to review findings. For each vulnerability, Detectify provides:
- The affected endpoint and parameter
- Severity level (Critical, High, Medium, or Low)
- A description of the vulnerability
- The exact request and response that confirmed the issue
- Remediation guidance
See Results & Remediation for a detailed guide on interpreting your findings.
Next Steps
- Configure scheduling to run scans automatically
- Review coverage to understand what vulnerability types are tested
- Set up integrations to route findings to Jira, Slack, or your CI/CD pipeline