The Quick Scan Details page gives a complete view of the results from a quick API security scan. It includes detailed insights across multiple tabs such as Vulnerabilities, scan history, test coverage, logs, and newly discovered issues. This view helps you analyze findings, review test behavior, and fine-tune detection logic to improve the effectiveness of your API scans.
The following information is shown for each quick scan. Click on the tabs below to view information according to your requirements.
When you click on a quick scan, it displays rich information about the vulnerabilities by severity and the type of vulnerability found in scans. You can click on a vulnerability to see the API endpoints containing that vulnerability. You can also click on each API endpoint to see the evidence for it, and any assertions and mutations used to detect that vulnerability. On this evidence page, you can customize the Assertions and Mutations from their respective tabs to customize the vulnerability detection according to your requirements. For more information, see Mutation and Assertion Overrides.
Auto-resolution of vulnerabilities
Traceable, by default, auto-resolves vulnerabilities in the following scenarios:
Traceable has not detected the issue in the 60 days since its last occurrence.
Traceable does not detect the vulnerability in the 15 scans following its last observation.
While the above are default durations, you can contact Traceable support to modify them according to your requirements.
Vulnerabilities Tab
The Scans tab lists all the run or queued scans for the Quick Scan. You can click on any scan to view more information about each scan. The Scans tab shows the following information for each scan:
Scans Tab
Overview—Provides various details about the scan, such as the environment scanned, the number of APIs scanned, and the traffic type.
API coverage — The API Coverage tab provides information under the following categories:
APIs scanned — This tab lists all the APIs scanned, the vulnerabilities found in each scanned API, the number of tests generated and executed for each API, and other high-level information about each API.
APIs not scanned — This tab provides information about the APIs that were not scanned and the reason for them not being checked.
API reachability — This tab lists all the APIs that are reachable, not reachable, or return an error.
Tests — This tab lists all the tests run across all the APIs and the vulnerabilities found across them. You can filter these results based on the API endpoint, which shows all the tests run on an API, or based on a specific vulnerability to see in which APIs a specific vulnerability exists, etc.
Note
Tests may have the Response Code as 0 in scenarios where the connection did not succeed or the request timed out. In such scenarios, Traceable also sets the Status as Not Vulnerable.
Logs — This tab lists the scan logs. You can download the log for further analysis. You can choose to display the first 500 lines of the log, the last 500 lines of the log, etc.
While the above details are present for each scan, traces are not shown in the following scenarios:
APIs not instrumented — If a scan is run against APIs not instrumented by any of Traceable’s tracing agents, then traces are not found for the scan results. This mostly occurs in DAST scans run using specifications like Open API Spec, Postman Collection, or GraphQL Schema. However, if the DAST scan internally uses replay data, then traces are found.
APIs are instrumented but devoid of live traffic — If the API under test is instrumented but has not seen any live traffic with an error-free response code, then Traceable does not show that API in the API Catalog. When scans are run against such APIs, and if the AST attack test request receives only error response codes, Traceable does not register these APIs. This is because the API Catalog only registers an API upon seeing an error-free response code. Therefore, traces are not found in such APIs.
Error in generating or sending request — If Traceable CLI encounters an error while creating an attack request or fails to send it for some reason, the test results in an error, and traces are not found for that API.
Passive and TLS test — AST has passive plugins that do not send any attack request to APIs under test but check the original request for any vulnerabilities. Similarly, TLS tests are connected to the host or domain, not the API. In both scenarios, traces are not found.
Tests older than one week — Traceable, by default, has a one-week trace retention period. So, if the test is older than a week, traces are not found for it.