Creating a Quick Scan

Updated
  • Updated on Apr 28, 2025
  • 4 minute(s) read

Quick scans are individual scans with different configurations. You can configure certain properties, such as name, traffic type, assets, attacks, etc., while configuring quick scans. These quick scans are executed using the configurations you specify.

Creating a quick scan consists of the following steps:

  1. Select and specify basic details, such as scan name and traffic type for the scan.

  2. Select the assets on which you wish to run the scan.

  3. Select the vulnerability types you wish to check for as part of the scan.

  4. Select the method for running the scan.

Once you create a scan, Traceable also allows you to pause and resume it from the CLI. For the steps to do so, see Pause and Resume Scan.

To create a quick scan, select the Environment for which you wish to create the scan. Then, click Quick Scan from your environment-specific suite page, as shown below.

Quick Scan

Before you begin

Make a note of the following before creating a quick scan:

  • Make sure that you have an understanding of the available traffic types.

Step 1 — Provide Details

As part of step 1 of creating a quick scan, provide the following details:

Create Quick Scan

  • Name — Specify a name that will help you identify the scan. While Traceable specifies a name by default, you can modify the name according to your requirements.

  • Traffic Type — Choose a traffic type from XAST live, DAST, or XAST replay.

    • XAST replay — The XAST replay scan is executed using stored APIs. This is possible in environments with replay enabled. For more information, see Environment Config.

    • DAST — You can run a DAST scan using the existing OpenAPI spec or upload a fresh OpenAPI spec. You can select one or more OpenAPI Specs. You can also upload a Postman collection or use a GraphQL schema to run a DAST scan.

      Note

      DAST does not require you to instrument an app, however, you must choose an environment for the DAST scan to create the default service and list the APIs under it. By default, the service name is traceable-oas-processor.

    • XAST live — Run the scan on live traffic.

  • Environment (Non-editable) — The environment in which Traceable will execute the scan, such as HighTechApp. The environment for which you wish to run the AST scans. Since Quick Scans are environment-specific, this is preselected based on the environment you selected from the Environment drop-down. For example, the HighTechApp environment as shown in the screenshot above.

  • Target Url (Optional) — Configure this option to test a specific domain, such as mydomain.com. This is optional if you are using live traffic because AST targets the domain to which the live traffic is going, but it is mandatory if you select DAST.

Step 2 — Choose Assets

As part of step 2, you must choose the assets on which you wish to run the scan. You can choose from:

Quick Scan Assets

  • All Endpoints

  • A set of Endpoints

  • Services

  • Endpoint Labels — All Endpoints are tagged with a specific label, such as critical, sensitive, external, etc. For more information, see Label Management.

As shown in the above screenshot, the following are some optional configurations that you can use according to your requirements:

Advanced configuration (Optional)

You can use regex expressions to include URL regex, based on which Traceable filters the incoming traffic to be included. Similarly, the exclude URL regex is a type of regex based on which Traceable filters the incoming traffic to be excluded.

Authentication (Optional)

You can also choose the authentication type. For more information on different authentication types, see Authentication.

Step 3 — Vulnerability Types

As part of step 3, you must choose the attacks you want Traceable to execute on your selected assets. You can choose from:

Quick Scan Attacks

  • Policy — Select a policy you wish to execute on your assets.

  • Custom — Select all or specific attacks that you wish to test your assets on, from the list.

Step 4 — Run Scan

As part of step 4, you must choose how you want to run the scan. You can choose to run the scan using:

Quick Scan Run Details

  • Command from Terminal — You can run the scans using your system terminal. To do this, you must generate the following:

    1. A new API token or use an existing token.

    2. Commands that you can execute in either Docker or Linux Install.

  • The Platform — You can run the scan on the Traceable platform. For this, you must do either of the following:

    • Allow Traceable to select a runner automatically.

    • Select a runner according to your requirements.

    For more information, see Runners.

Pause and Resume Scan

Traceable allows you to pause and resume scans using the CLI. Perform the steps in the tabs below to pause and resume the scan according to your requirements.

When you pause a scan, Traceable stops test generation for the suite or scan. You can always resume the scan according to your requirements.

To pause a scan, complete the following steps in your CLI:

  1. Press Ctrl+C or Command+C to get a list of scan termination options.

  2. Type P and click Enter or Return.

Traceable pauses the scan indefinitely, until you resume it.

Traceable can resume a scan if it is in either of the following states:

  • Paused

  • Aborted

To resume a scan, you must run the following command:

Note

The <scan-id> field in the below command is optional. If you skip this field, Traceable automatically selects the ID from the last scan.

traceable ast scan resume --id <scan-id>

Caveats

  • Resuming a scan does not generate new test suites or plugins; it only re-runs the plugins that were partially executed or not executed in the previous run.

  • As Traceable may re-run some tests from plugins that were partially executed, you may see an increase in the test count.

Note

Pause and Resume scan is available for CLI version 1.10.20 and above. To check the current CLI version, you can use the traceable version command.

Related articles