Support
API Discovery

Integrating with Apigee API hub

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle

Integrating Apigee API hub with Invicti Enterprise allows you to fetch Swagger2 and OpenAPI3 specification files from Apigee API hub and provide them as inputs to our DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

This document explains how to set up an integration between Apigee API hub and Invicti Enterprise.

PREREQUISITES:

  • A Google Cloud Platform account with a project resource that you want to integrate with Invicti Enterprise.
  • The necessary permissions to configure OAuth settings for your project.
  • A basic understanding of OAuth 2.0 and its flow.
  • An Apigee API hub account with access to the credentials section.

How to integrate Invicti Enterprise with Apigee API hub

Before configuring the Apigee API hub integration in Invicti Enterprise, you need to set up OAuth 2.0 in the Google Cloud Console to authenticate and authorize applications securely and configure access to your Apigee API hub endpoints. Follow the steps below in each section to prepare your Apigee API hub for integration with Invicti Enterprise.

NOTE: Only Swagger2 and OpenAPI3 specification files will be imported.

Step 1: Create the OAuth consent screen

  1. Log in to the Google Cloud Console.
  2. Select the project resource that you want to integrate with Invicti Enterprise.

  1. Click the Navigation Menu on the left and select APIs & Services > OAuth consent screen.

  1. Configure the OAuth consent screen:
  1. Select Internal or External for the User Type based on your requirements.
  2. Click Create.

  1. Enter the information that will be shown on the consent screen:
  1. Fill out the required fields: App name, User support email, and Developer contact information.
  2. Optionally, upload a logo file, and provide an application homepage link, privacy policy link, and terms of service link.
  3. Click Save and Continue.
  1. Define scopes and test users:
  1. Click Add or Remove Scopes to define the scopes your application will request. Common scopes include email and profile.
  2. Add test users if you selected Internal as the user type.
  3. When you have finished, click Save and Continue.
  1. Review your settings on the summary page. If all details are correct, click Back to Dashboard at the bottom of the page.

The OAuth consent screen for your project is now set up. Continue with the instructions in the next section to create OAuth 2.0 credentials for your project.

Step 2: Create OAuth 2.0 credentials

  1. Select Credentials from the left sidebar.

  1. Click + Create Credentials, then select OAuth client ID.

  1. Set the Application type and enter a Name for your Oauth 2.0 client.

  1. In the Authorized redirect URIs section, click + Add URI.

  1. Enter the URI of your Invicti instance that your application will use for OAuth 2.0 redirection. In the image below we have used https://yourapp.com/apihub/callback (this is only an example!).
  2. Click Create.

  1. Copy the Client ID and Client secret. Paste these to a location where you can access them later when configuring the Apigee API hub import in Invicti Enterprise.
  2. Click OK.

 

A notification confirms: OAuth client created. Continue with the instructions in the next section.

Step 3: Enable required APIs in the Google Cloud Platform

  1. In the Google Cloud Platform navigation menu, select APIs & Services > Library.
  2. Search for, select, and enable the following APIs:
  • Google Cloud Identity and Access Management (IAM) API
  • Google Cloud Resource Manager API
  • Apigee API (if not already enabled)

Step 4: Get the necessary Apigee credentials

Before configuring the Apigee API hub import in Invicti Enterprise, you need to ensure you have the following credentials from the Apigee API hub:

  • Client ID
  • Client Secret
  • Project ID

Client ID and Client Secret

These were previously copied in the OAuth 2.0 credentials section. If you need to obtain them again:

  1. Log in to the Apigee API hub for your project.
  2. Click the Navigation Menu on the left and select APIs & Services > Credentials.

  1. In the OAuth 2.0 Client IDs section, click the Edit icon for the credentials you set up in Step 2 of this document.

  1. Copy the Client ID and Client secret from the Additional information section on the right-hand side.

Project ID

  1. Log in to the Apigee API hub for your project.
  2. Click the project selector drop-down to open the Select a resource window.

  1. Copy the ID for your project.

Step 5: Configure the Apigee API hub import in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. Select APIs > Sources from the left-side menu.

  1. Click Add new source.

  1. Enter a name for the API integration and select Apigee as the Source type. 

  1. Enter the following details:
  • Client Id: This is the Client ID that you previously copied from the Google Cloud Platform when you created OAuth 2.0 credentials.
  • Client Secret: This is the Client Secret that you previously copied from the Google Cloud Platform when you created OAuth 2.0 credentials.
  • Project Ids: Enter your Project ID that you previously copied from the Google Cloud Platform.
  1. Click Authenticate and Save.

  1. You will be navigated to your Google Account to authorize the integration. Select or confirm your Google Account for the integration.

Once complete, you will see a short message displayed in Invicti Enterprise: Authorization successful. Your Apigee API hub integration now appears on the APIs >  Sources page in Invicti Enterprise. Continue with the final step below to synchronize the API import.

Step 6: Synchronize the API import

  1. On the APIs > Sources page in Invicti Enterprise, click the sync icon to start importing your API specification files from Apigee API hub into your Invicti Enterprise API Inventory.

  1. When the sync is complete, your API specification files will be displayed on the API Inventory page in Invicti Enterprise. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.

 

Apigee API hub is now integrated with Invicti Enterprise. After the initial synchronization, the integration will automatically sync your API specifications once every 24 hours.

NOTE: To synchronize API specifications on demand, click the sync icon on the APIs > Sources page. To disable automatic synchronization, click the toggle in the Sync Automatically column on the APIs > Sources page.