Swagger template file for appsec scanning

Looking to test some custom API’s using AppSec but scan keeps failing with "Ill-formed Swagger file " error. Been playing around with my json file but can’t seem to get it right. Anyone have one that works that I can look at? Or documentation on what structure AppSec is expecting?

Hey @ceberiel, apologies for the delay here. We do have a couple examples that should be good templates to base yours off of, if you’re having trouble figuring out the error. In particular it’s common for the file to be missing the host, basepath, or schemes info (in v2) or the server info (in v3). Here they are:


1 Like

We had to modify our OpenAPI file generator to insert the server info to get InsightAppSec to accept it. IMO, InsightAppSec shouldn’t be requiring the server info in OpenAPI v3 definitions. The OpenAPI spec says when the server is not specified in the file, the server is implied to be the root of the server hosting the file.

If the servers property is not provided, or is an empty array, the default value would be a Server Object with a url value of / ."

Hey @holly_wilsey, we’re just getting started with insightAppSec and would love to use our swagger files. The tricky part is with dev and prod environments we do not want the generated swaggerfile produced by Swashbuckle to include servers, since we do not know the domain at the time of compile. Is it possible for the swagger component to use the base host as commented above by @sbiber?

Our use case is to build and deploy the app to an ephemeral environment then use the insightAppSec to scan it for potential issues before release. Because of the ephemeral environment we wouldn’t know the server name ahead of time. Also updating all our apps to modify the generated swagger simply to include that base url information would be problematic.

1 Like