Product updates: Automated schema generation

Product updates: Automated schema generation

We are excited to introduce our latest feature: automated schema generation for all your discovered APIs.

Having an OpenAPI Specification (OAS) is beneficial because it provides a standardized, machine-readable format for documenting RESTful APIs, promoting clarity and consistency across different services. with an OAS, developers can leverage a plethora of tools for API development, testing, and documentation. It also serves as a contract between API providers and consumers, clearly outlining the expected inputs, outputs, and behaviors.

However, we understand that not all APIs have an available specification, and even when they do, ensuring its validity can be challenging. We also recognize that manually authoring a specification is not a task most developers enjoy. However, having one is crucial for providing more context to the API service and its schema. That's why we've integrated automated specification generation into Escape.

This feature allows you to generate your API schema and start scanning vulnerabilities immediately, reducing the time it takes to derive full value from Escape.

To use it, simply insert your domain name or, if your API service doesn't have a front-end, connect your account to your organization's GitHub, GitLab, or Bitbucket. This feature works seamlessly with any code repository, leveraging AST parsing and cutting-edge LLM technology.

Escape empowers you to effectively scan your APIs, whether or not you have a specification available.

Why?

With this feature, we aim to solve this issue and provide you with the following benefits:

  • Efficiency: Through the automated generation of API schemas, either directly or via Git integration, we streamline the setup process for scans. The process involves parsing the AST from the code to dynamically generate detailed and accurate API schemas. This is particularly useful for organizations that may not have formalized API documentation.

    This not only saves time and effort for both security and development teams but also enables development teams to redirect their focus towards higher-value tasks. With the burden of manual specification creation lifted, they can now dedicate their time to more impactful activities. Meanwhile, security teams are empowered to dedicate increased attention to analyzing scan results, rather than being tied up with manual scan configurations.
  • Scalability: Automated schema generation allows you to effortlessly expand your scanning efforts across a large number of APIs. This is especially advantageous in environments with numerous microservices or APIs, where manual configuration would be impractical or time-consuming.
  • Access to Business Context: Automatically generated schemas provide more context to the API service. API service properties are of better quality when API specifications are available, enabling developers and stakeholders to gain a deeper understanding of the API's purpose, functionality, and intended business use. This enriched context ensures more in-depth scanning and facilitates smoother collaboration between security, development, and business teams.
  • Real-time Updates: With automated schema generation, scan configurations can be updated in real-time as your APIs evolve or new endpoints are added. This ensures that scans always reflect the current state of your APIs, eliminating the need for manual intervention to update configurations.

Getting started

Here's how you can quickly benefit from the automated specifications:

  1. If it's not yet done, add your new domain to your API inventory:
Go to the API inventory settings to add new domain

For API services with a front-end, that's all there is to it! Your specification will be generated automatically.

You'll see the following if your specification was generated automatically from the frontend code:

Specification generated from the frontend code

Your spec will be updated automatically as your API service evolves.

For API services without a front-end, you need to set up integration with your GitHub, GitLab, or BitBucket.

  • Navigate to your API inventory settings, then click on "Integrations" or simply select "Connect" from the "Connected Integrations" callout located in the top-right corner:
Available inventory integrations

Then, enter the required information, like an access token for the integration of your choice. Below is example for GitHub:

For GitHub integration, add your GitHub access token, and you're set!

With these new updates, you should be able to run your security scans automatically once API endpoints are discovered by Escape, without the need to upload your API specs. Try it out for yourself, and let us know what you think in our Slack community!

đź’ˇ Check out more product updates below: