Swagger template file for appsec scanning

Looking to test some custom API’s using AppSec but scan keeps failing with "Ill-formed Swagger file " error. Been playing around with my json file but can’t seem to get it right. Anyone have one that works that I can look at? Or documentation on what structure AppSec is expecting?

Hey @ceberiel, apologies for the delay here. We do have a couple examples that should be good templates to base yours off of, if you’re having trouble figuring out the error. In particular it’s common for the file to be missing the host, basepath, or schemes info (in v2) or the server info (in v3). Here they are:

https://petstore.swagger.io/v2/swagger.json
https://petstore3.swagger.io/api/v3/openapi.json

1 Like

We had to modify our OpenAPI file generator to insert the server info to get InsightAppSec to accept it. IMO, InsightAppSec shouldn’t be requiring the server info in OpenAPI v3 definitions. The OpenAPI spec says when the server is not specified in the file, the server is implied to be the root of the server hosting the file.

If the servers property is not provided, or is an empty array, the default value would be a Server Object with a url value of / ."