Skip to content

API Testing Scope

The scan scope can be refined through the definition of allowlists and blocklists, which specify operations to be included or excluded from security testing. When operations are blocklisted, they will not be evaluated during the scan execution. When allowlists are defined, only operations that match the allowlist rules will be tested.

Both GraphQL and REST API DAST configurations use the same scope structure with allowlist and blocklist parameters. The extend_global_scope parameter controls whether the scanner-specific scope extends the global scope configuration.

GraphQL Scope

The scope parameter is defined within the GraphQL scan configuration and supports both allowlist and blocklist rules.

graphql_api_dast:
  scope:
    extend_global_scope: true
    blocklist:
      - type: graphql_operation
        value: 'mutation.createUser'
      - type: graphql_operation
        value: 'mutation\.delete.*'
        operation: regex
    allowlist:
      - type: graphql_operation
        value: 'query\.users'
        operation: regex

The type field specifies the rule type (graphql_operation for GraphQL operations). The value field contains the operation name pattern. The operation field specifies the matching operation (defaults to exact match if not provided). See Scope Operations for details on available operations.

Reference: GraphQL configuration

REST Scope

The scope parameter in REST API DAST is configured as a list of rules that define which API endpoints should be included or excluded from testing.

rest_api_dast:
  scope:
    extend_global_scope: true
    blocklist:
      - type: rest_api_path
        value: '/api/auth/login'
        method: POST
      - type: rest_api_path
        value: '/api/users/.*'
        operation: regex
      - type: rest_api_path
        value: '/api/admin/.*'
        domain: 'admin.example.com'
        operation: regex
    allowlist:
      - type: rest_api_path
        value: '/api/v[0-9]+/users'
        operation: regex

The type field specifies the rule type (rest_api_path for REST API paths). The value field contains the path pattern. The optional method field specifies the HTTP method (GET, POST, PUT, DELETE, etc.). The optional domain field can be used to restrict the rule to specific domains. The operation field specifies the matching operation (see Scope Operations for details).

Reference: REST configuration

Scope Operations

Scope rules support various matching operations to provide flexible pattern matching. The operation field in each rule specifies how the value should be matched against targets. When not specified, the operation defaults to equals (exact match).

Supported Operations

  • equals (default): Exact string match

    • Example: value: "mutation.createUser" matches exactly "mutation.createUser"

  • starts_with: Match if target starts with the value

    • Example: value: "query.users" matches "query.users", "query.usersById", "query.usersList"

  • ends_with: Match if target ends with the value

    • Example: value: "User" matches "createUser", "updateUser", "deleteUser"

  • contains: Match if target contains the value anywhere

    • Example: value: "auth" matches "authentication", "authorize", "getUserAuth"

  • regex: Match using regular expression pattern

    • Example: value: "mutation\\.(create|update|delete).*", operation: regex matches GraphQL mutations starting with create, update, or delete
    • Uses Python's re.fullmatch() for complete pattern matching

  • wildcard: Match using wildcard/glob pattern

    • Example: value: "query.user*" matches "query.user", "query.users", "query.userById"
    • Supports * (any characters) and ? (single character) wildcards