Kong Gateway API Discovery Connectors

The Kong Gateway API Discovery Connectors enables automated integration between your Kong API Gateway environment and Qualys. The connector discovers APIs managed through Kong Gateway, collects their metadata and specifications, and imports them into Qualys to support API inventory, visibility, and scan readiness.

Category Supported Asset Type Supported Finding Type
API Connector APIs N/A (Discovery only)

Prerequisites

  • An active TotalAppSec module subscription 
  • Access to your Kong Gateway with the required permissions as specified in the Permissions section.  

How to Obtain a Token for Connector Configuration

  1. Login to Kong https://cloud.konghq.com/
  2. Navigate to Organization > System Accounts, and click Create System Account
  3. Add a name and description for the system account, and click Save.

    The system account is created.
  4. In the Role Assignments, click Add roles.
  5. In the Add Roles dialog box, select appropriate values for the following fields:
    1. Entity Type - Control Planes
    2. Add Roles - Viewer
    3. Instance - All Instances (*)
  6. Click SaveThe new role is created and assigned to the System Account.
  7. Click Manage Tokens.
  8. In the Access Tokens page, click Generate Token.
  9. In the Generate an Access Token dialog box, perform the following steps:
    1. Add a Token Name.
    2. Select the Expiration time.
    3. Click Generate.
    4. Once the token is generated, click Copy token and close

Use this token to setup Kong API Discovery Connector in the Basic Details step.

Permissions 

The following table presents the Kong Gateway APIs used to retrieve data and the required IAM permissions required for each operation.

API Endpoint IAM Permissions

GET /v2/control-planes/

Minimum permission needed:

Control Planes: View or  List (read access to control planes at org level)

GET /v2/control-planes/{CONTROL_PLANE_ID}/core-entities/services

Minimum permission needed (for that control plane):

  • Services: View (read)
  • Control Plane access

GET /v2/control-planes/{CONTROL_PLANE_ID}/core-entities/routes

Minimum permission needed:

  • Routes: View (read)
  • Control Plane access 

GET /v2/control-planes/{CONTROL_PLANE_ID}/core-entities/plugins

Minimum permission needed:

  • Plugins: View (read)
  • Control Plane access

GET /v2/control-planes/{CONTROL_PLANE_ID}/core-entities/consumers

Minimum permission needed:

  • Consumers: View (read)
  • Control Plane access

Connector Configuration

To create a new Kong Gateway API Discovery connector, navigate to the Discovery tab > Sources > Kong Gateway API Discovery Connector, and click Create Connector.

 KONG API Connector.

Basic Details

  1. Provide a Name and Description.
  2. Select the Qualys Data Model - API Discovery and Data Model Type - API.
  3. Provide required Authentication Details

Basic details.

Data Model

The Kong API Discovery Default Data Model provides an out-of-the-box schema aligned with the Qualys schema.

Use the schema view to understand the attributes and structure of the imported API data.

Data model.

Here Is the default data model mapping.

Data model mapping.

Transform Maps

Transform maps ensure data is correctly transformed during data import. Qualys provides the default transform map, and it cannot be edited. 

Transform maps.

Profile Configuration

Create a profile for your connector. A profile decides the connector status, execution schedule, and transform map to choose. The connector follows the configurations of this profile for all future executions.

profile configuration.

  1. Click  to create a new profile.
    Create profile.
  2. In the Create Profile screen, provide the necessary inputs for your new profile:
    1. Provide a Name and Description.
    2. Select the required Transform Map for the data mapping.
    3. In the Status field select whether the connector should be in Active or Inactive state after creation. 
    4. In the Schedule section, select Single Occurrence schedule or a Recurring schedule. For the Single occurrence, select the timezone, start time, and end time. For recurrent scheduling, select the timezone, frequency, start time, and end time. 
    5. Click Create to add a new profile.

Connector States

After configuration, the connector progresses through these states:

State Description
Registered Connector created and registered successfully
Scheduled Connection execution is scheduled
Processing A connection is executed  and the connector is retrieving asset data. 
Processed

Asset discovery completed; findings ingestion may still continue. The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Logs

End-to-end logging provides enhanced visibility into connector activities from the TotalAppSec, enabling more effective analysis and troubleshooting. You can access these logs from the Logs tab.

View Discovered Assets in TotalAppSec

Follow the steps to view your assets in the TAS application.

Sources

Source tab.

Discovered APIs

Here, you can view all API assets discovered by the KONG connector, along with additional details such as Status, URL, Endpoints, and so on.

Discovered KONG API connector.

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.