Login

Importing reports via Terminal using a Report File

You can import reports to AppSec Portal using the following curl command in your terminal:

curl -X POST localhost/api/v1/scan/import/ -H "Authorization: Token <authorization_token>" -H "Content-Type: multipart/form-data" -F "file=@<report_file_path>" -F "product_name=<product_name>" -F "product_type=<product_type>" -F "scanner_name=<scanner_name>" -F "branch=<branch_name>" -F "repository=<repository SSH URL>" -F "docker_image=<registry address>" -F "domain=<domain>" -F "host=<host>"

In this command, the following parameters are used:

  1. -X POST: specifies the HTTP method to be used (in this case, POST)

  2. -H "Authorization: Token <authorization_token>": specifies the authorization token obtained from AppSec Portal.

  3. -H "Content-Type: multipart/form-data": specifies the content type of the request.

  4. -F "file=@<report_file_path>": specifies the path to the report file generated by the scanner.

  5. -F "product_name=<product_name>": specifies the name of the product being scanned.

  6. -F "product_type=<product_type>": specifies the type of the product being scanned.

  7. -F "scanner_name=<scanner_name>": specifies the name of the scanner used to generate the report (see the expandable tab below for correct name).

  8. -F "branch=<branch_name>": (optional) specifies the name of the branch in the source code repository (if applicable) This parameter is particularly useful when you want to associate the scan results with a specific branch in your repository. If not provided, the scan will be associated with the default branch

Asset information, if an auditor is used

  1. -F "repository=<repository SSH URL>": If your product is code in a repository enter the address of your repository in a specific format, for example: git@gitlab.com:whitespots-public/appsec-portal.git

  2. -F "docker_image=<registry address>": If your product is image enter the address of the registry where your product is located, for example: registry.gitlab.com/whitespots-public/appsec-portal/back/auto_validator:latest

  3. -F "domain=<domain>": If your product is web enter the domain name of your product, for example: whitespots.io

  4. -F "host=<host>": If your product is web enter the IP address of your product, for example: 0.0.0.0

List of currently supported scanners

  • Acunetix Scan

  • Arachni Scan

  • AWS Security Hub Scan

  • Bandit Scan

  • Burp Enterprise Scan

  • Checkov Scan

  • CodeQL Scan (SARIF)

  • ESLint Scan

  • Find Security Bugs Scan (GitLab SAST Report)

  • GitLab Bandit

  • GitLab ESLint

  • GitLab Gemnasium

  • GitLab Gitleaks

  • GitLab KICS

  • GitLab OWASP Zap

  • GitLab Semgrep

  • Gitleaks Scan

  • Gosec Scanner

  • Hadolint Dockerfile check

  • Manual

  • Nuclei Scan

  • Pen Test

  • Prowler

  • Retire.js Scan

  • Semgrep JSON Report

  • subfinder

  • Terrascan Scan

  • Trivy Scan

  • Trufflehog3 Scan

  • Whitespots Portal

If you generate a curl command for an unsupported scanner, the import will not be executed.

You need to modify the curl command based on the scanner used to generate the report.

Note that if the specified product type or product name does not exist in the AppSec Portal, they will be created automatically. However, within the same product type, there cannot be two products with the same name.

Curl example

Here is an example of a command to import a report generated by Trivy scanner:

curl -X POST localhost/api/v1/scan/import/ -H "Authorization: Token a75bb26171cf391671e67b128bfc8ae1c779ff7b" -H "Content-Type: multipart/form-data" -F "file=@./trivy-code.json" -F "product_name=Product1" -F "product_type=Application" -F "scanner_name=Trivy Scan" -F "branch=dev" -F "repository=git@gitlab.com:whitespots-public/appsec-portal.git"

Once the import is completed, you can view and analyze the imported reports in the AppSec Portal.

PreviousManual Import using Report FileNextImporting reports via Lambda Function using a Report File

Last updated