Creating a Collection

Before you can start an API Scan in ZeroThreat, you first need to create a Collection.

A Collection represents the source of your API endpoints and acts as the starting point for both unauthenticated and authenticated API scans. You can use it to scan public (unauthenticated) APIs right away, or later configure authentication for APIs that require it.

Here’s how you can create a collection in ZeroThreat.

Step 1: Create an API Target

First, you need to create a Target that defines the base URL of your API and sets the scan type.

  1. Go to the Targets section in ZeroThreat and click “Add Target.”

  2. Enter the Base URL of your API (e.g., https://api.example.com).

  1. Under Scan Type, select API Scan and choose your preferred Scanning Server.

  2. Click “Save” to add the target.

Step 2: Add an API Collection to Your Target

Once your target is set up:

  1. From the ZeroThreat dashboard, select the API target you just created.

  2. Click on Create New Collection () button. This opens the Configure API Collection drawer, where you’ll choose your API Collection source method.

Step 3: Select Your API Source Type

ZeroThreat offers many options for importing your API collection:

Source Type
Description

Swagger File / URL

Upload a Swagger file or provide a public Swagger URL.

OpenAPI File

Upload an OpenAPI (OAS) YAML or JSON file.

Postman API

Import directly from a Postman collection.

HAR File

Upload a HAR (HTTP Archive) file from captured API traffic.

RAML

Upload RAML definitions to import resources and request details for API scan.

WADL

Upload WADL service descriptions to import endpoints/operations for API scan.

In this example, let’s choose the Swagger Source method:

  • Enter a short and meaningful name for your Collection, within 6 characters. Use a simple identifier such as SWG-01, COL-01, or API-01 to help you recognize it later.

  • Upload your Swagger file or enter the Swagger URL path (E.g. /api/v1/swagger.json) and click Fetch Collection. (Note: Enter the path alone, not the full URL).

  • ZeroThreat will automatically parse all the API endpoints from the file or the URL.

ZeroThreat will only display endpoints that fall within your defined Target URL scope. This ensures scans are limited to assets you own and control.

Cloud API Collection

In addition to uploading files or providing URLs, ZeroThreat supports creating Collections directly from your cloud API management platforms. This is useful if your APIs are already published and versioned in cloud-native services.

ZeroThreat supports five cloud integrations. Each method lets you authenticate against your cloud provider, fetch available APIs, and import them directly into ZeroThreat for scanning. Below are the steps to fetch API collection from each of them.

1. Azure API Management (APIM)

If your APIs are managed in Azure API Management (APIM), you can directly import them into ZeroThreat as a Collection for scanning.

Steps to Import API collection from Azure APIM

  1. Login to Azure Make sure you are logged into your Azure Portal. From the Configure API Collection drawer in ZeroThreat, select Azure APIM as your collection source.

  1. Provide Collection Details

    • Enter a meaningful Collection Name.

    • Select your Azure Configuration (the APIM connection previously authorized in ZeroThreat).

  1. Select Subscription, Resource Group, and API

    • Choose the Azure Subscription that contains your APIM resources.

    Collection Configuration

    • Pick the Resource Group associated with those resources.

    • Select the APIM Service instance (e.g., zt-api-management-v1).

    • Finally, choose the API (and revision, if applicable) you want to import.

    Collection Configuration

    • Click Next () to continue.

Matching Base Domains The API Target you created in ZeroThreat and the API Collection you are fetching from Azure must share the same base domain.

If they differ, you will need to create a new Target (and verify it) using the correct API base domain and create a Collection in that target.

ZeroThreat will automatically import the chosen APIs into the Collection. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.

2. MuleSoft

If your APIs are managed in MuleSoft Anypoint Platform, you can connect ZeroThreat to your MuleSoft account and import APIs directly as a Collection for scanning.

Steps to Import API Collection from MuleSoft

  1. Select MuleSoft as Source From the Configure API Collection drawer, choose MuleSoft as your collection source.

  1. Set Up Integration

    • Enter a Connection Name.

    • Provide your Client ID and Client Secret from your MuleSoft Anypoint account.

    • ZeroThreat will validate the credentials before proceeding.

  1. Fetch APIs

    • Once validated, ZeroThreat fetches your available organizations and API assets.

    • Choose the Connection (newly created or previously saved).

    • Select your Organization, then choose the API asset you want to import.

    • Click Next () to continue.

Matching Base Domains The API Target you created in ZeroThreat and the API Collection you are fetching from MuleSoft must share the same base domain.

If they differ, you will need to create a new Target (and verify it) using the correct API base domain and create a Collection in that target.

Your MuleSoft APIs will be added as a Collection in ZeroThreat. You can optionally enable the Auto-fetch option, which refreshes the API definition daily at 12:00 AM UTC to fetch any changes in Anypoint collection.

3. SwaggerHub (Cloud Swagger)

If you use SwaggerHub for API design and versioning, you can connect your SwaggerHub account to ZeroThreat via an API key and import API collection directly into a ZeroThreat.

Steps to Import API collection from SwaggerHub

  1. Select SwaggerHub as Source

    • From the Configure API Collection drawer, choose SwaggerHub as your collection source.

  1. Set Up Integration:

    • Enter a Connection Name.

    • Provide your SwaggerHub API Key (available in your SwaggerHub account settings).

    • ZeroThreat will validate the key before proceeding.

  1. Fetch API's and Versions:

    • Once validated, ZeroThreat fetches your available APIs from SwaggerHub.

    • Select the API project (e.g., Broken Crystals).

    • Choose the API version you want to scan (e.g., 1.0).

    • Click Next () to continue.

Matching Base Domains The API Target you created in ZeroThreat and the API Collection you are fetching from SwaggerHub must share the same base domain.

If they differ, you will need to create a new Target (and verify it) using the correct API base domain and create a Collection in that target.

Your SwaggerHub API will be added as a Collection in ZeroThreat. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.

4. AWS API Gateway

If your APIs are deployed on AWS API Gateway, you can import them directly into ZeroThreat as a Collection for scanning.

Steps to Import API collection from AWS API Gateway:

  1. Select AWS API Gateway as Source: From the Configure API Collection drawer, choose AWS API Gateway as your collection source.

  1. Set Up Integration:

  • Select your AWS connection/account using an Access Key and Secret Access Key.

  • If you already have a saved AWS configuration in ZeroThreat, you can reuse it

  1. Fetch APIs:

    • Enter a meaningful Collection Name.

    • Choose the AWS Configuration (newly created or previously saved).

    • Select the Region where your API Gateway is deployed (e.g., ap-south-1).

    • Pick the API (and stage) you want to import.

    • Click Next () to continue.

Matching Base Domains The API Target you created in ZeroThreat and the API Collection you are fetching from AWS must share the same base domain.

If they differ, you will need to create a new Target (and verify it) using the correct API base domain and create a API Collection within that target.

ZeroThreat will import the API from your AWS API collection and make it available as a Collection. You can optionally enable Auto-fetch option, which refreshes the API definition for any changes daily at 12:00 AM UTC.

5. Postman Cloud API

your APIs are hosted in Postman Cloud, you can connect your Postman account to ZeroThreat using an API key and directly import your Postman collections for scanning.

Steps to Import API Collection from Postman Cloud

  1. Select Postman as Source From the Configure API Collection drawer, choose Postman Cloud API as your collection source.

  1. Set Up Integration

    • Enter a Connection Name.

    • Provide your Postman API Key (available in your Postman account settings).

    • ZeroThreat will validate the key before proceeding.

  1. Fetch Collections

    • Once validated, ZeroThreat fetches your available Workspaces and Collections from Postman.

    • Choose the Connection (newly created or previously saved).

    • Select the Workspace and then the Collection you want to import.

    • Click Next () to continue.

Matching Base Domains The API Target you created in ZeroThreat and the API Collection you are fetching from Postman Cloud must share the same base domain.

If they differ, you will need to create a new Target (and verify it) using the correct API base domain and create a API Collection within that target.

Your Postman Cloud APIs will be added as a Collection in ZeroThreat. You can optionally enable the Auto-fetch option, which refreshes the API definition daily at 12:00 AM UTC to fetch any changes in Postman Cloud API Collection.

Step 4: Review and Configure API Endpoints

Once the API specification is parsed, you will be able to see all the extracted API endpoints.

Troubleshoot:

If the API specification is parsed but shows zero endpoints, it usually means that the Collection source and the Target you created are using different hostname. To fix this, create a new Target with the correct API base domain, and then create your Collection within that Target.

ZeroThreat highlight any endpoints that have missing or empty request bodies, these are commonly found in incomplete API specs. These endpoints will be marked with a Payload Unmapped () symbol to help you identify them.

While filling body for such API's is not mandatory to start a scan, it’s highly recommended. Providing sample data in request bodies helps ZeroThreat interact more accurately with your APIs, leading to more effective testing.

(Optional Step) Map Missing Payloads Click any endpoint marked with the Payload Unmapped () icon and provide sample request body data where needed.

You can also hover over the Collection Analysis () button to get an overview of how many endpoints were parsed, and how many of them are missing request bodies.

Snapshot Difference Detected

When you create a new API Collection on a target where a previous collection already exists, ZeroThreat automatically compares the new collection against the previous one.

If differences are found, the system will display a “Snapshot difference detected” message in the Collection Analysis panel.

This feature helps you:

  • Auto-populate missing values: Any empty payload fields in the new collection will be filled using data from your previous collection (if available).

  • Identify new endpoints: ZeroThreat highlights any new endpoints detected since the last collection snapshot, allowing you to easily see what has changed.

This helps you keep your collections updated without losing previously configured payloads.

Once you're done reviewing and configuring the endpoints, click Save.

Your collection is now ready to use. You can proceed to run an Unauthenticated API Scan or, if your APIs require authentication, configure API Authentication settings for this collection.

What’s Next?

Ready to scan? Continue to Unauthenticated API Scan. Your APIs need authentication to access? Learn how to set up Authenticated API Scans.

PreviousAPI ScanNextUnauthenticated API Scan

Last updated