Dynamic Scanning (DAST)
Use the REST API to query dynamic application security testing (DAST) metrics
Table of Contents
Introduction
The DAST API provides a RESTful interface for managing dynamic application security testing scans and querying their results. It offers endpoints to start scans, retrieve findings, manage asset inventory, and perform attack surface scanning.
Base URL
All API endpoints are accessed through the base URL: https://api.<YOUR-TENANT-NAME>.nullify.ai
Replace <YOUR-TENANT-NAME> with your organization's tenant name. For example, if your tenant name is "acme", the base URL would be https://api.acme.nullify.ai.
Get DAST Scans
This endpoint returns the list of all DAST scans that have been run.
Returns the list of all the DAST scans that have been run
The Azure organization ID
The Github owner ID
The GitLab group ID
The Nullify installation ID
GET /dast/scans HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*
{
"scans": [
{
"appName": "text",
"endTime": "2025-07-12T08:38:58.968Z",
"host": "text",
"id": "text",
"isExternal": true,
"progress": 1,
"startTime": "2025-07-12T08:38:58.968Z",
"status": "text",
"taskId": "text",
"tenantId": "text"
}
]
}curl -L \
-H "Accept: application/json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
https://api.<YOUR-TENANT-NAME>.nullify.ai/dast/scans?githubOwnerId=1234Start DAST Scan
This endpoint starts a new DAST scan against a given API.
Starts are new DAST scan against a given API
The Azure organization ID
The Github owner ID
The GitLab group ID
The Nullify installation ID
POST /dast/scans HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Content-Type: application/json
Accept: */*
Content-Length: 196
{
"appName": "text",
"authConfig": {
"headers": {
"ANY_ADDITIONAL_PROPERTY": "text"
}
},
"azureRepository": "text",
"githubRepository": "text",
"host": "text",
"openAPISpec": {
"ANY_ADDITIONAL_PROPERTY": "anything"
}
}{
"scanId": "text"
}curl -X POST \
-H "Accept: application/json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "Content-Type: application/json" \
-d '{"appName": "test-app", "host": "api.example.com", "authConfig": {"headers": {}}}' \
https://api.<YOUR-TENANT-NAME>.nullify.ai/dast/scans?githubOwnerId=1234Get DAST Scan
This endpoint returns details of a specific DAST scan.
Returns the list of all the DAST scans that have been run
The Azure organization ID
The Github owner ID
The GitLab group ID
The Nullify installation ID
GET /dast/scans/{scanId} HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*
{
"scan": {
"appName": "text",
"endTime": "2025-07-12T08:38:58.968Z",
"host": "text",
"id": "text",
"isExternal": true,
"progress": 1,
"startTime": "2025-07-12T08:38:58.968Z",
"status": "text",
"taskId": "text",
"tenantId": "text"
}
}curl -L \
-H "Accept: application/json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
https://api.<YOUR-TENANT-NAME>.nullify.ai/dast/scans/01J6EEXK3NKYKWW9XTPQYAF41N?githubOwnerId=1234Get DAST Findings
This endpoint returns the list of all DAST findings from a specific scan.
Returns the list of all the DAST findings from a scan
The Azure organization ID
The Github owner ID
The GitLab group ID
The Nullify installation ID
GET /dast/scans/{scanId}/findings HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*
{
"findings": [
{
"appType": "text",
"cwe": "text",
"id": "text",
"rest": {
"appName": "text",
"errorDescription": "text",
"errorType": "text",
"host": "text",
"httpVersion": "text",
"method": "text",
"path": "text",
"previousResponse": "text",
"queryParameters": {
"ANY_ADDITIONAL_PROPERTY": "text"
},
"requestBody": "text",
"requestHeader": {
"ANY_ADDITIONAL_PROPERTY": "text"
},
"responseBody": "text",
"responseHeader": {
"ANY_ADDITIONAL_PROPERTY": "text"
},
"uri": "text",
"vulnerableParameterName": "text",
"vulnerableParameterValue": "text"
},
"scanner": "text",
"severity": "text",
"solution": "text",
"title": "text"
}
]
}curl -L \
-H "Accept: application/json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
https://api.<YOUR-TENANT-NAME>.nullify.ai/dast/scans/01J6EEXK3NKYKWW9XTPQYAF41N/findings?githubOwnerId=1234Stop DAST Scan
This endpoint requests to stop a running DAST scan.
Request to stop a dast scan
The Azure organization ID
The Github owner ID
The GitLab group ID
The Nullify installation ID
POST /dast/scans/{scanId}/stop HTTP/1.1
Host: api.<YOUR-TENANT>.nullify.com
Accept: */*
{
"scan": {
"appName": "text",
"endTime": "2025-07-12T08:38:58.968Z",
"host": "text",
"id": "text",
"isExternal": true,
"progress": 1,
"startTime": "2025-07-12T08:38:58.968Z",
"status": "text",
"taskId": "text",
"tenantId": "text"
}
}curl -X POST \
-H "Accept: application/json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
https://api.<YOUR-TENANT-NAME>.nullify.ai/dast/scans/01J6EEXK3NKYKWW9XTPQYAF41N/stop?githubOwnerId=1234Asset Inventory Endpoints
The API provides endpoints to manage your asset inventory:
GET
/dast/inventory/endpoints- List all HTTP endpointsPOST
/dast/inventory/endpoints- Register new API endpointsGET
/dast/inventory/hosts- List all hostsPOST
/dast/inventory/hosts- Register new hosts
Last updated
Was this helpful?