Creating a Suite

A Suite in Traceable defines what to scan, how to scan it, and under what conditions. By creating a Suite, you can organize and manage your security testing workflows efficiently, ensuring consistent coverage and easier maintenance across different environments and APIs. Traceable allows you to create a suite in either of the following ways:

• From the Traceable platform

• Using GraphQL APIs

This page highlights the steps to create a suite from the Traceable platform. If you wish to create suites using GraphQL APIs, see Configuring Suites using GraphQL API.

Creating a suite on the Traceable platform consists of the following 3 mandatory and 2 optional steps:

1. Choose a policy for the Suite and provide other details like the type of traffic.

2. Choose the assets (API endpoints) you wish to run the scan on.

3. Set up the schedule (optional) and a few other configurations.

4. Optionally, add an integration.

5. Optionally, start an ad-hoc scan.

To help you create efficient and optimized suites, Traceable provides some creation recommendations that you can use according to your requirements. For more information, see Suite Creation Recommendations.

Once you create a suite, Traceable also allows you to pause and resume scans from the CLI. For the steps to do so, see Pause and Resume Scan.

To create a new suite from the Traceable platform, select the Environment for which you wish to create a suite. Then, click Create Suite from your environment-specific suite page, as shown below.

Before you begin

Make a note of the following before creating a suite:

• Make sure that you have an understanding of the available traffic types. For more information, see Traffic Types.

Step 1 — Provide details

As part of step 1 to create a Suite, provide the following details:

• Name — Provide a name that will help you identify the Suite. The name should not have any spaces.

• Policy — Select a policy from the drop-down list. A scan is related to an existing policy. Only when you run a Quick Scan do you not need a policy. For information on the steps to create a policy, see Policies. Further, for information on the attack and splitting recommendations while creating a policy, see Suite Creation Recommendations.

  Note

  • As part of the suite, Traceable detects only the vulnerability types configured during policy creation.

  • For policies with a large number of attack selections, Traceable recommends dividing policies into multiple smaller policies. For more information, see Suite Creation Recommendations.

• Traffic type — Choose a traffic type from XAST live, DAST, or XAST replay.

  • XAST replay — The XAST replay scan is executed using stored APIs. This is possible in environments with replay enabled. For more information on replay, see Environment Config.

  • DAST — You can run a DAST scan using the existing OpenAPI spec or upload a fresh OpenAPI spec. You can select one or more OpenAPI Specs. You can also upload a Postman collection or use a GraphQL schema to run a DAST scan. Traceable also provides the GraphQL public API that allows you to create a suite for GraphQL schemas. For more information, see Configuring Suites using the GraphQL public API.

    Note

    DAST does not require you to instrument an app, however, you must choose an environment for the DAST scan to create the default service and list the APIs under it. By default, the service name is traceable-oas-processor.

  • XAST live — Run the scan on live traffic.

• Environment — The environment for which you want to run the AST scans. Since Suite is environment-specific, this is preselected based on the environment you selected from the Environment drop-down. For example, the HighTechApp environment is specified in the above screenshot so the suite would by default be created for the HighTechApp environment.

• Target URL — Configure this option to test a specific domain, such as mydomain.com. This is optional if you are using live traffic because AST targets the domain to which the live traffic is going. It is mandatory if you have selected DAST.

  Note

  You can allow Traceable to fetch the Target URL from the document that you upload above for the DAST traffic type. While this feature is disabled by default, you can execute the --target-url-suite = false command in your CLI to enable it.

Step 2 — Choose assets

In step 2, choose the assets you wish to run the scan on. You can choose from:

• All Endpoints

• A set of Endpoints

• Services

• Endpoint Labels — All Endpoints are tagged with a specific label, such as critical, sensitive, external, etc.

• Filter endpoints — You can create your filter to choose the endpoints you want to scan. For example, you can select all external APIs, APIs with the GET method, APIs with sensitive data, etc.

Note

For suites with large number of assets, Traceable recommends dividing them into multiple smaller suites to ensure efficient testing. For more information, see Suite Creation Recommendations.

As shown in the above screenshot, the following are some optional configurations that you can use according to your requirements:

Incremental Scans (Optional)

Traceable allows incremental scans on your suite, meaning it only scans the endpoints not scanned in the previous suite run. These may be the ones where they were skipped for some reason, were added to the scan scope post-last run, or were discovered in the environment after the last run was complete. This feature reduces the time required to rerun a scan on the suite. You can also run a full scan after a specific number of days. The following are some caveats associated with incremental scans:

Caveats

• You may have changed the attack set against which the application is tested between the successive scans. In such a case, a complete scan is run.

• Once an endpoint is scanned, its signature or other properties might change. For example, an endpoint that was previously unencrypted may now be encrypted. Such changes can affect how the endpoint was scanned in the past and how it will be scanned in the future. Therefore, whenever any such significant change occurs, the endpoint is re-scanned, regardless of whether it has been checked before or not.

• Sometimes, the endpoint's signature might not change, but it could still become vulnerable for other reasons. To catch these problems, we recommend setting a short look-back window to ensure all endpoints are regularly re-scanned.

Advanced configuration (Optional)

You can use regex expressions to include URL regex based on which Traceable filters the incoming traffic to be included. Similarly, the exclude URL regex is a type of regex based on which Traceable filters the incoming traffic to be excluded.

Include Traffic Matching Following Conditions (Optional)

You can specify conditions according to your requirements based on which Traceable filters the incoming traffic and runs scans on it. This is useful when you receive excessive traffic and want to run scans on its subset.

Note

You can filter traffic only for XAST live and XAST replay traffic types.

To include traffic according to certain conditions, you can click on Add Condition and:

• Select the Location on which you want to apply the filter.

• Select and specify the parameters under Attribute Key.

• Select and specify the parameters under Attribute Value.

Similarly, you can add multiple conditions to filter traffic. However, the API traffic must fulfill all the conditions for Traceable to run scans on it.

Authentication (Optional)

You can also choose the authentication type. For more information on different authentication types, see Authentication.

Step 3 — Configurations

In step 3, add a schedule for your scan. Adding a schedule is optional. In addition to adding a schedule, you can configure the scan evaluation criteria and choose one from the following three default options. You can also create your custom criteria. The scan evaluation criteria decide on what criteria a scan would fail. This is based on the type of vulnerabilities found in the scan.

• Fail on any

• Fail on critical

• Fail on high and above

You can also set other configurations, such as idle time out, scan time out, delay between requests in milliseconds, and test execution threads.

Step 4 — Integrations (Optional)

Step 4 is optional. You can currently integrate Snyk with the scans. For more information, see Snyk.

Step 5 — Start Scan (Optional)

Step 5 is optional. While Traceable executes the scan as per the schedule you set in Step 3 above, you can start an ad-hoc scan immediately, according to your requirements. To do so, complete the following steps:

1. Navigate to the Suites dashboard.

2. Search for and click the Suite you wish to start the scan for.

3. In the top right corner of the Suite Details page, click Start Scan.

4. In the Start New Scan window, choose how you want to run the scan. You can choose to run the scan using:
   

   

   • Command from Terminal — You can run the scans using your system terminal. To do this, you must generate the following:

     1. A new API token or use an existing token.

     2. Commands that you can execute in either Docker or Linux Install.

   • The Platform — You can run the scan on the Traceable platform. For this, you must do either of the following:

     • Allow Traceable to select a runner automatically.

     • Select a runner according to your requirements.

     For more information, see Runners.

This scan is executed ad-hoc and is listed in the Scans tab. For more information, see Suite Details.

Pause and Resume Scan

Traceable allows you to pause and resume scans using the CLI. Perform the steps in the tabs below to pause and resume the scan according to your requirements.

traceable ast scan resume --id <scan-id>

Note

Pause and Resume scan is available for CLI version 1.10.20 and above. To check the current CLI version, you can use the traceable version command.