API Inventory Management

API Inventory Management is a feature designed to enhance your API ecosystem by simplifying the management of your API inventory.

It allows easy management of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates for API schemas. This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements.

Add Shadow API into the Inventory

In the previous lab, we discoverd /api/colors as a shadow API. DevOps already opened a ServiceNow ticket with SecOps to provide the new OpenAPI Spec file including /colors. But SecOps are late in their ticketing queue, and they haven’t seen this ticket yet but they must take a decision about this endpoint.

SecOps can block the request with an API Protection rule. We covered how to create it in the Static API Protection lab. FYI, there is a shortcut directly into the API EndPoint screen as shown in the screenshot below. Don’t block it now, it is a legitimate endpoint.

../../../_images/protection-rule-colors.png

We will not block it, SecOps had the information from a side channel this endpoint is part of the application update from yesterday night.

We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source of truth are the DevOps. Instead, we will add the endpoint into the Inclusion List.

Note

Inventory = OpenAPI File + Inclusion List


Add the /api/colors shadow API endpoint to the Inventory (inclusion list)

  • Click on the three dots (…) at the right of the /api/colors endpoint to open the actions menu

  • Click on Move to Inventory

    ../../../_images/move-to-inventory.png

  • A warning message will confirm the add

    ../../../_images/warning-inventory.png

  • Click Move to Inventory

  • Now, you can see /api/colors is not a Shadow API anymore. It is part of Inventory.

    ../../../_images/moved-inventory.png

How to find all endpoints added into the Inventory (Inclusion List) ?

As mentioned before, API endpoints are not added into the OAS Spec file because this file is maintenained by AppDev/DevOps. Instead, we create an Inventory Inclusion List

  • Go to API Management > Edit your API Definition

  • You can see an API Inventory Inclusion List

    ../../../_images/oas-inclusion-list.png

  • Click on Edit Configuration to see the content

    ../../../_images/inclusion-list.png

Note

When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5 XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let’s say v2) If this version includes /api/colors, the entry into the Inventory Inclusion List will not be taken into account. The OAS Spec file specified on F5 XC takes precedence over Inventory Inclusion List.