We know it can sometimes be cumbersome to work with security software, hence we made the setup of Application Scanning as simple as possible, to allow you to start your first scan as quickly as possible. Our onboarding guide helps you along the way, and it is also possible to set up additional scans by following this guide. In addition to the Detectify tool, you can also do this in the Detectify API.
Setup in the Detectify tool
In order to set up Application Scanning via the UI, you first need to register an account with Detectify, then add the asset on which you host your web application.
Once you have your asset verified, go to the Application Scanning page, where you have access to all information on your Application Scanning setup.
Select Add Application Scan Profile to create a new Scan Profile. In the dialog, use the dropdown for “Domain or IP to scan” to select which asset you want to have scanned. When you select a domain, you can choose to create the Scan Profile for a subdomain of the selected asset. This is recommended if you host a separate web application on a subdomain. If you don’t have a subdomain, you can leave the field blank.
Name your Scan Profile, so you can easily find it in case you will make several scan profiles later. If you leave the name blank, we will name the Scan Profile the same as the asset is named (including the subdomain name in case the subdomain is specified). You can also change the name of the Scan Profile later in the settings.
Setup in the Detectify API
This feature is only accessible for customers with Enterprise plan, please contact your customer support representative or firstname.lastname@example.org for more information.
You can create a Scan Profile by sending a POST request to https://api.detectify.com/rest/v2/profiles/ with the following request body:
Here “domain token” refers to the asset token on which the scan profile should be created, while “endpoint” contains the complete scan profile endpoint, which may either be the asset, or a subdomain of the asset. Optionally, you can specify a “name” for the profile, and you can mark it as “unique”. Unique indicates that theScan Profile should only be added if no scan profile exists with the same endpoint. For more information, please refer to the API documentation.
Q: I added an asset, but I don’t see it in the dropdown list?
A: Only verified assets are listed in the dialog. Please check whether your asset is verified.
Q: I wanted to add a subdomain, but forgot, can I change it later?
A: Scan Profiles are tied to a specific asset, and therefore it is not possible to change the asset afterwards. Please create a new Scan Profile for the subdomain.