Using the toolkit CLI to scan your catalogs and spaces
How to use the IBM® API Connect toolkit CLI to run governance validation scans on your catalogs and spaces.
About
API governance is an API Connect service that can be used to validate and enforce organizational governance policies and best practices to your API development process. The following information provides details of the toolkit CLI commands for running and managing validation scans on your catalogs and spaces. For more information about validation scanning, see Scanning your catalogs and spaces.
The following sections detail how to run validation scan commands by using the toolkit CLI.
Logging in to the toolkit CLI
- Log in to the toolkit as the owner or an admin of your provider organization.For example:
apic login --server platform_api_host_name --username user_id --password password --realm provider/identity_provider
You can determine which identity provider to use in the--realm
parameter by entering the following command to see a list of all available identity providers (you do not need to be logged in to use this command):
For example,apic identity-providers:list --scope provider --server platform_api_host_name --fields title,realm
Theapic identity-providers:list --scope provider --server platform_api_host_name --fields title,realm total_results: 2 results: - title: API Manager User Registry realm: provider/default-idp-2 - title: Corporate LDAP user registry realm: provider/corporate-ldap
title
value should enable you to determine which identity provider to use; you can then copy the corresponding--realm
parameter directly from the displayedrealm
value. For any identity providers that were created by your administrator after API Connect was installed, the names will have been determined at creation time. The default API Manager Local User Registry for login as a member of a provider organization isdefault-idp-2
.For full details of the
apic login
command, see Logging in to a management server.
Running compliance:scan commands
- Create a JSON COMPLIANCE_REQUEST_FILE that specifies the location of the
catalog or space and the rulesets to use during a validation scan.For example:
Where:{ "collectionUrl": "https://server/api/catalogs/org/catalog", "config": { "rulesets": [ { "rulesetName": "spectral-oas", "disabled": ["info-contact"] }, { "rulesetName": "spectral-owasp", "disabled": [] } ] } }
collectionUrl
is the URL of the catalog or space that contains the API documents that you want to run a validation scan on, whereserver
is the server URL,org
is the name or ID of the provider organization, andcatalog
is the name or ID of the catalog or space. For examplehttps://localhost:3003/api/catalogs/alpha/sandbox
.rulesets
contains a list of the rulesets to be applied to the APIs during the validation scan.For each ruleset in the list, you can optionally add the
disabled
property with a comma-delimited list of rules to ignore during validation.
- Run a validation scan by using the compliance:scan command.
Where:apic --mode governance compliance:scan --scope org --org <target_org> --server <platform_api_host_name> COMPLIANCE_REQUEST_FILE
scope
is the scope of the scan, and must be set toorg
for a catalog or space validation scan.<target_org>
is the name of the provider organization that contains the catalog or space that you want to scan.<platform_api_host_name>
is the hostname portion URL of server that hosts the API Manager (the "management server").Tip: To determine the hostname, you can open the API Manager in a browser and copy the hostname from the URL in the address bar (beginning afterhttps://
and ending before/manager
).COMPLIANCE_REQUEST_FILE
is the path and filename of the JSON file that contains the configuration details for the validation scan. For example, ./documents/validate-apis.json.
To run a scan on your products, you must add the optional parameter ofThe results of the scan are printed to the screen.--scan_type
with a value ofproduct
to the command. For example:
You can use the valueapic --mode governance compliance:scan --scope org --org my_org --server my_platform_api_host_name ./documents/validate-products.json --scan_type product
api
to scan only APIs, orproduct
to scan only products. If omitted, only APIs are scanned.The following optional parameter enables you to refine the results of this command.--scantitle scan_title
is an optional flag that changes the retrieved scan's title to the value that you provide.
apic --mode governance compliance:scan --scope org --org my_org --server my_platform_api_host_name ./documents/validate-apis.json --scantitle scan1
- Rerun an existing validation scan by using the compliance:rescan command.A scan rerun creates a new report for that scan, but uses the same configuration of catalog or space and rulesets that was used in the previous scan.
Where:apic --mode governance compliance:rescan --scope org --org <target_org> --server <platform_api_host_name> --scan <scan_name_or_scan_id>
scope
is the scope of the scan, and must be set toorg
for a catalog or space validation scan.<target_org>
is the name of the provider organization that contains the catalog or space that you want to rescan.<platform_api_host_name>
is the hostname portion URL of server that hosts the API Manager (the "management server").Tip: To determine the hostname, you can open the API Manager in a browser and copy the hostname from the URL in the address bar (beginning afterhttps://
and ending before/manager
).scan_name_or_scan_id
is the name or ID of the existing scan that you want to run again.
The following optional parameter enables you to refine the results of this command.--scantitle scan_title
is an optional flag that changes the title of the rescan to the value you provide.
apic --mode governance compliance:rescan --scope org --org my_org --server my_platform_api_host_name ./documents/validate-apis.json --scantitle scan2
Running scans commands
- List all validation scans that exist for a specific provider organization by using the
scans:list command.
The return includes information about all of the validation scans, and some information about their scan reports, but if you want more detailed information about the reports, use the scan-reports:list command.
Where:apic --mode governance scans:list --scope org --org <target_org> --server <platform_api_host_name>
scope
is the scope of the scan, and must be set toorg
for a catalog or space validation scan.<target_org>
is the name of the provider organization that you want a list of scans for.<platform_api_host_name>
is the hostname portion URL of server that hosts the API Manager (the "management server").Tip: To determine the hostname, you can open the API Manager in a browser and copy the hostname from the URL in the address bar (beginning afterhttps://
and ending before/manager
).
The following example shows the sample output for a list containing two scans, one of APIs, and one of products:The following optional parameters enable you to refine the results of this command.
Wheretotal_results: 2 results: - type: 'scan' scan_type: '1' api_version: '2.0.0' id: 'cd765034-d46b-4b1b-9c74-b63911f42773' name: 'cd765034-d46b-4b1b-9c74-b63911f42773' title: 'API Scan' scope: 'org' collection: id: 'b6deefe8-6cd5-4bcb-b7b4-116891bc6019' name: 'cat1' type: 'catalog' title: 'cat1' location: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41/cat1' config: - id: 'cf16505a-ae70-438b-be10-bcc7678d1eee' url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41/rulesets/cf16505a-ae70-438b-be10-bcc7678d1eee' name: 'spectral-async' title: 'spectral-async' version: '1.15.0' disabled: [] - id: '01562ee7-9a50-4dae-b356-9f50ccb6' url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41/rulesets/01562ee7-9a50-4dae-b356-9f50ccb6' name: 'spectral-oas' title: 'spectral-oas' version: '1.15.0' disabled: [] documents: - id: '29b04204-8cce-47ab-baac-365ab09f' name: 'accountservice' title: 'AccountService' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/04d6a185-2c6d-41fd-91e6-d7e83a854745/apis/29b04204-8cce-47ab-baac-365ab09f' - id: '964f1df0-dd0b-4671-afee-e70af020' name: 'awsecommerceservice' title: 'AWSECommerceService' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/04d6a185-2c6d-41fd-91e6-d7e83a854745/apis/964f1df0-dd0b-4671-afee-e70af020' progress: 100 reports: created_at: '2024-03-27T10:57:09.921Z' report_url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/scan-reports/cfd0eac3-cff1-4d66-9057-30426970' scan_result: hints: '0' infos: '20' errors: '1396' warnings: '24212' scan_result: '1396 Errors, 24212 Warnings, 20 Infos, 0 Hints, 6 Rulesets' status: 1 created_at: '2024-03-27T10:55:45.000Z' updated_at: '2024-03-27T10:57:12.000Z' url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/scans/0e84ce18-45ea-4a28-ab68-4da0c492' - type: 'scan' scan_type: '2' api_version: '2.0.0' id: 'ddc5da81-0db0-425c-b74c-5fc8300934e6' name: 'ddc5da81-0db0-425c-b74c-5fc8300934e6' title: 'Product Scan' scope: 'org' collection: id: 'b6deefe8-6cd5-4bcb-b7b4-116891bc6019' name: 'cat2' type: 'catalog' title: 'cat2' location: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/cat2' config: - id: '8e67e57b-a7f6-4c5e-b341-ab0a960d78fd' url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/rulesets/8e67e57b-a7f6-4c5e-b341-ab0a960d78fd' name: 'Product Ruleset' title: 'Product Ruleset' version: '1.0.0' disabled: [] documents: - id: 'c6c66be4-bd1e-4fe1-85d5-45fd8a4bd3d0' name: 'First Product Document' title: 'First Product Document' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/b6deefe8-6cd5-4bcb-b7b4-116891bc6019/products/c6c66be4-bd1e-4fe1-85d5-45fd8a4bd3d0' - id: '11266894-524a-410d-babf-ca2488736e40' name: 'Second Product Document' title: 'Second Product Document' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/b6deefe8-6cd5-4bcb-b7b4-116891bc6019/products/11266894-524a-410d-babf-ca2488736e40' - id: '3b18fd12-c1ea-4faf-9e44-7b9158b437ca' name: 'Third Product Document' title: 'Third Product Document' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/b6deefe8-6cd5-4bcb-b7b4-116891bc6019/products/3b18fd12-c1ea-4faf-9e44-7b9158b437ca' - id: '1089516f-d7bf-4850-b7e0-7a6ca18c4383' name: 'Fourth Product Document' title: 'Fourth Product Document' version: '1.0.0' document: 'https://test.ibm.com/api/catalogs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/b6deefe8-6cd5-4bcb-b7b4-116891bc6019/products/1089516f-d7bf-4850-b7e0-7a6ca18c4383' progress: 100 reports: - created_at: '2024-09-05T09:24:39.784Z' report_url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/scan-reports/ae166497-b64f-47e7-a23c-5e75d19adbde' scan_result: hints: '0' infos: '0' errors: '2' warnings: '0' - created_at: '2024-09-05T09:24:17.561Z' report_url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/scan-reports/2d86ca39-56ee-4e2f-adb8-b5b1e5e294a0' scan_result: hints: '0' infos: '0' errors: '2' warnings: '0' scan_result: '2 Errors, 0 Warnings, 0 Infos, 0 Hints, 1 Rulesets' status: 1 created_at: '2024-09-05T09:24:08.000Z' updated_at: '2024-09-05T09:24:39.000Z' url: 'https://test.ibm.com/governance/orgs/6d3d9ffa-37e3-4da7-be6b-a1c34b41476f/scans/ddc5da81-0db0-425c-b74c-5fc8300934e6'
scan_type: '1'
refers to an API scan, andscan_type: '2'
refers to a product scan.--status status_number
is a comma separated list of status codes to filter the list of scans by.Table 1. Table of valid status codes Code Status 0
Queued 1
Complete 2
In progress -1
Error --type catalog_or_space
lists the scans that are of the typecatalog
orspace
.--scan_type api_or_product
is an optional flag to specifically list the scans of only APIs or only products. Use the valueapi
to list only API scans, orproduct
to list only product scans. If omitted, both API and product type scans are listed.--collections list_of_collections
is a comma separated list of catalog or space IDs or names to filter the list of scans by.--limit number_of_results
specifies how many scan results to return.--fields list_of_fields
is a comma separated list of field names to return. Note that no spaces are allowed after a comma, and if you want to return only one field you must omit the comma. For example, running the following command:
Returns the data in the following way:apic --mode governance scans:list --scope org --org <target_org> --server <platform_api_host_name> --fields id,title
total_results: 2 results: - id: 'e0b8afbd-e5fa-486e-8800-343e1e31faf1' title: 'e0b8afbd-e5fa-486e-8800-343e1e31faf2' - id: '436d9db5-ea45-4d91-96c4-cef5957a2c34' title: '436d9db5-ea45-4d91-96c4-cef5957a2c34'
apic --mode governance scans:list --scope org --org demo -s test.ibm.com --collections cat1 --type catalog --status 1
- Get a specific scan using the scans:get command:
Where:apic --mode governance scans:get --scope org --org <target_org> --server <platform_api_host_name> SCAN
scope
is the scope of the scan, and must be set toorg
for a catalog or space validation scan.<target_org>
is the name of the provider organization that contains the scan that you want to get.<platform_api_host_name>
is the hostname portion URL of server that hosts the API Manager (the "management server").Tip: To determine the hostname, you can open the API Manager in a browser and copy the hostname from the URL in the address bar (beginning afterhttps://
and ending before/manager
).SCAN
is the ID or name of the scan that you want to retrieve.
- Update the scan
title
andsummary
properties by creating a SCAN_FILE with the information to be updated, and running thescans:update
command.
Where:apic --mode governance scans:update --scope org --org <target_org> --server <platform_api_host_name> SCAN SCAN_FILE
scope
is the scope of the scan, and must be set toorg
for a catalog or space validation scan.<target_org>
is the name of the provider organization that contains the scan that you want to update.<platform_api_host_name>
is the hostname portion URL of server that hosts the API Manager (the "management server").Tip: To determine the hostname, you can open the API Manager in a browser and copy the hostname from the URL in the address bar (beginning afterhttps://
and ending before/manager
).SCAN
is the ID or name of the scan that you want to update.SCAN_FILE
is the path to a JSON file that contains the properties to be updated.
SCAN_FILE
can contain the following properties:{ "title": "<updated_title>", "summary": "<updated_summary>" }
- Delete a scan by using the scans:delete command. This command deletes the
specified scan and all of its
reports.
Whereapic --mode governance scans:delete --scope org --org <target_org> --server <platform_api_host_name> SCAN
SCAN
is the ID or name of the scan that you want to update. - Delete all of the scans for a particular provider organization by using the
scans:clear command. This command clears all of the scans and all of their
reports for the specified
organization.
Whereapic --mode governance scans:clear --scope org --org <target_org> --server <platform_api_host_name> --confirm organisation_confirmed
organisation_confirmed
is the name of the provider organization again, to confirm that you want to clear all of the scans from this organization.
Running scan-reports commands
- List all of the scan reports for a particular provider organization by using the
scan-reports:list
command.
The following optional parameters enable you to refine the results of this command.apic --mode governance scan-reports:list --scope org --org <target_org> --server <platform_api_host_name>
--fields list_of_fields
is a comma separated list of field names to return. Note that no spaces are allowed after a comma, and if you want to return only one field you must omit the comma. For example, running the following command:
Returns the data in the following way:apic --mode governance scan-reports:list --scope org --org <target_org> --server <platform_api_host_name> --fields id,title
total_results: 2 results: - id: '3e3189a3-6359-4113-9cf9-9bde9f303884' title: '3e3189a3-6359-4113-9cf9-9bde9f303882' - id: '58a975cf-a503-4297-9450-237db102cb24' title: '58a975cf-a503-4297-9450-237db102cb24'
--limit number_of_results
specifies how many scan report results to return.
- Get a specific scan report by using the scans:get
command.
Whereapic --mode governance scan-reports:get --scope org --org <target_org> --server <platform_api_host_name> SCAN_REPORT
SCAN_REPORT
is the ID or name of the scan report.The scan report results are downloaded to the directory where the command was run.
- Update the scan report
summary
property by creating a SCAN_REPORT_FILE with the information to be updated, and running thescan-reports:update
command.
Where:apic --mode governance scan-reports:update --scope org --org <target_org> --server <platform_api_host_name> SCAN_REPORT SCAN_REPORT_FILE
SCAN_REPORT
is the ID or name of the scan report that you want to update.SCAN_REPORT_FILE
is the path to a JSON file that contains the properties to be updated.
SCAN_REPORT_FILE
can contain the following properties:{ "summary": "updated_summary" }
- Delete a scan report by using the scan-reports:delete command. This command
deletes the specified scan report, and removes the reference to it from the scan. Note that you
cannot delete the last report in a scan. If you want to delete all of the reports of a scan, you
must delete the scan itself by using the scans:delete
command.
Whereapic --mode governance scan-reports:delete --scope org --org <target_org> --server <platform_api_host_name> SCAN_REPORT
SCAN_REPORT
is the ID or name of the scan report that you want to delete.