Integrating MuleSoft Anypoint Exchange with Invicti Enterprise On-Premises
This feature is available with Invicti API Security Standalone or Bundle
Integrating Invicti Enterprise On-Premises with MuleSoft Anypoint Exchange allows you to fetch Swagger2 and OpenAPI3 specification files from MuleSoft to build an inventory of API endpoints that can be scanned for vulnerabilities with our DAST scanners. The integration leverages Connected Apps, where Invicti Enterprise is the application that integrates via user account with MuleSoft Anypoint Exchange.
This document explains how to set up an integration between MuleSoft Anypoint Exchange and Invicti Enterprise On-Premises. If you are using Invicti Enterprise On-Demand, refer to Integrating MuleSoft Anypoint Exchange with Invicti Enterprise On-Demand.
PREREQUISITES:
|
How to integrate Invicti Enterprise On-Premises with MuleSoft Anypoint Exchange
This integration has three steps. Follow the steps below in each section to prepare your MuleSoft Anypoint Exchange account for integration with Invicti Enterprise On-Premises.
NOTE: Only Swagger2 and OpenAPI3 specification files will be imported. |
Step 1: Create a connected app in MuleSoft Anypoint Exchange
In order for Invicti Enterprise to successfully fetch your Swagger2 and OpenAPI3 specification files from MuleSoft, you need to first set up a mirroring policy in MuleSoft Anypoint Exchange by creating a connected app to serve as the central point for authentication. Follow the instructions below to configure your MuleSoft Anypoint Exchange account for the integration.
- Log in to the MuleSoft Anypoint platform: https://anypoint.mulesoft.com/
- Open the menu in the upper-left corner and select Access Management.
- Select Connected Apps from the left-side menu, then click Create app.
- Enter a Name for the app. In the example below, we have used Invicti Enterprise API Importer.
- In the Grant types section, select Authorization Code and Refresh Token. (Refresh Token appears after you select Authorization Code).
- Enter your Website URL. This is the URL of your Invicti instance. In the image below we have used http://your-instance.com/ (this is only an example!).
- Enter your callback URL in the Redirect URIs section, then click Add.
The callback URL should have this format: http://your-instance.com/apihub/callback
- Click Add Scopes at the bottom of the Scopes section.
- Use the Filter scopes field to find and then select the following scopes:
- Exchange Viewer
- Profile
- Background Access (this is necessary for the refresh token functionality)
- Click Add Scopes.
- Select Save. This completes the creation of a connected app in MuleSoft Anypoint Exchange.
Now that you have created a connected app in MuleSoft Anypoint Exchange, you are ready to set up the MuleSoft integration in Invicti Enterprise to import your API specification files. Keep MuleSoft open and continue with the steps below to configure the API import in Invicti Enterprise using a new browser tab or window.
Step 2: Configure the API import source in Invicti Enterprise
- Log in to Invicti Enterprise On-Premises.
- Select APIs > Sources from the left-side menu.
- Click Add new source.
- Enter a name for the API integration and select MuleSoft as the source type.
- Switch to your MuleSoft tab or window and click Copy Id.
- Paste the Id from MuleSoft Anypoint Exchange into the Client ID field in Invicti Enterprise.
- Return to MuleSoft and click Copy Secret.
- Paste the copied Secret into Invicti Enterprise.
- Click Authenticate and Save. You will be navigated to your MuleSoft account to authorize the integration, after which you will be navigated back to Invicti Enterprise.
- Click Grant access to… to authorize the integration.
Once complete, you will see a short message displayed in Invicti Enterprise: Authorization was successful. To synchronize the API import, continue with the final step below.
Step 3: Synchronize the API import
- On the APIs > Sources page in Invicti Enterprise, click the sync icon to start importing your API specification files from MuleSoft into your Invicti Enterprise API Inventory.
- When the sync is complete, your API specification files will be displayed on the API Inventory page in Invicti Enterprise. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.
Your MuleSoft Anypoint Exchange account is now integrated with Invicti Enterprise. After the initial synchronization, the integration will automatically sync your API specifications once every 24 hours.
NOTE: To synchronize API specifications on demand, click the sync icon on the APIs > Sources page. To disable automatic synchronization, click the toggle in the Sync Automatically column on the APIs > Sources page. |