API Testing Scope¶

The scan scope can be refined through the definition of a blocklist, which specifies operations to be excluded from security testing. When operations are blocklisted, they will not be evaluated during the scan execution.

GraphQL Scope¶

The blocklist parameter is defined within the GraphQL scan configuration.

graphql_api_dast:
  blocklist:
    mutation:
    - 'mutationName'
    query:
    - 'queryName'

Regular expressions are applied to operation names for blocklist matching. When a fullmatch is detected between an operation name and a regex pattern, the operation will be excluded from the scan.

Reference: GraphQL configuration

Reference: Python Regex syntax

REST Scope¶

The blocklist parameter in REST is configured as a list of path and method combinations that identify routes to be excluded. Paths must conform to OpenAPI path specifications, and methods must be valid HTTP methods (GET, POST, PUT, DELETE, etc.).

rest_api_dast:
  blocklist:
    - path: /a/path/to/blocklist
      method: GET
    - path: /another/path/to/blocklist
      method: POST

Regular expressions are applied to path patterns for blocklist matching. When a fullmatch is detected between a path and a regex pattern, the route will be excluded from the scan.

rest_api_dast:
  blocklist:
    - path: /user/.*
      method: POST

Reference: REST configuration

Reference: Python Regex syntax