MuleSoft API Discovery Connectors

The MuleSoft API Discovery Connector integrates between your Anypoint Platform (MuleSoft) and Qualys TotalAppSec (TAS). Once configured, the connector imports your MuleSoft API infrastructure into Qualys for automated discovery, inventory, and scanning preparation.

Category	Supported Asset Type	Supported Finding Type
API Connector	APIs	N/A (Discovery only)

Prerequisites

Active TotalAppSec module subscription must be available. 

Permissions

Ensure that the API access scopes that grant specific permissions are enabled.

• Manage APIs Configuration
• View APIs Configuration
• Exchange Contributor
• Exchange Viewer
• View Environment
• View Organization

The scope can be defined while creating an App to obtain client ID and client secret. See Create an App to Obtain Client ID and Client Secret.

Authentication Details

Field	Key	Example
Organization ID	Business Group ID	Your MuleSoft Anypoint Business Group ID.
Environment ID	Environment ID	Your MuleSoft Anypoint account Environment ID.
Client ID	Client ID	The Client ID generated after creating a new App.
Client Secret	Client Secret	The Client Secret generated after creating a new App.

Steps to Obtain the Authentication Credentials

Follow the steps to obtain authentication credentials - Client ID, Client Secret, Organization ID, and Environment ID. 

Create an App to Obtain Client ID and Client Secret

1. Log on to https://anypoint.mulesoft.com.
2. Navigate to Access Management > Connected Apps.

   

3. Click Create App.

   

4. Provide Name and Type: Client Credentials Grant.

   

5. Click Add Scopes.

   

6. Search for the scopes as mentioned in the Permissions section and select the scopes.

   

7. Select Qualys as the Business Group.

   

8. Select Design and Sandbox as the Environments.

   

9. Review the configurations and click Add Scope > Save.

   

Once the app is saved, it becomes visible in the Connected Apps > Owned Apps section. You can use the ID and secret while creating a MuleSoft Connector.

View Your Environment ID and Organization ID

1. Navigate to the API Manager > Click Environment.
2. Copy the Environment ID and Business Group ID (Organization ID) from the opened window.

   

Connector Configuration

To activate the feature, you must have a TotalAppSec module subscription. Navigate to the Discovery tab > Sources > MuleSoft API Connectors, and click Create Connector. 

 

Basic Details

1. Provide a Name and Description.
2. Select the Qualys Data Model - API Discovery and Data Model Type - API.
3. Provide required Authentication Details: 
   • For Organization ID and Environment ID, refer to View Organization and Environment ID.
   • For Client ID and Client Secret, navigate to MuleSoft Access Management > Connected Apps. See Copy Client ID and Client Secret.

Data Model

The TAS MuleSoft API Discovery Default Data Model offers an out-of-the-box data model mapping with the Qualys TAS schema. You can view the schema to understand the attributes in the data model. Here's the default data model mapping.

Transform Maps

Transform maps ensure data is correctly transformed during data import. Qualys provides the default transform map, and it cannot be edited. 

Profile Configuration

Create a profile for your connector. A profile determines the connector status, execution schedule, and transform map to use. The connector adheres to the configurations of this profile for all subsequent executions.

1. Click  to create a new profile.
   
2. In the Create Profile screen, provide the necessary inputs for your new profile:
   1. Provide a Name and Description.
   2. Select the required Transform Map for the data mapping.
   3. In the Status field select whether the connector should be in Active or Inactive state after creation. 
   4. In the Schedule section, select Single Occurrence schedule or a Recurring schedule. For the Single occurrence, select the timezone, start time, and end time. For recurrent scheduling, select the timezone, frequency, start time, and end time. 
   5. Click Create to add a new profile.

Connector States

After configuration, the connector progresses through these states:

State	Description
Registered	Connector created and registered successfully
Scheduled	Connection execution is scheduled
Processing	A connection is executed  and the connector is retrieving asset data.
Processed	Asset discovery completed; findings ingestion may still continue. The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets. This process may take some time.

Logs

End-to-end logging provides enhanced visibility into connector activities from the TotalAppSec, enabling more effective analysis and troubleshooting. You can access these logs from the Logs tab.

View Discovered Assets in TotalAppSec

Follow the steps to view your assets in the TAS application.

Sources

You can find the Discovered APIs count under the MuleSoft API Connectors tile in Discovery > Sources.

Discovered APIs

Here, you can view all the API assets discovered by the MuleSoft connector with additional details like Status, URL, Endpoints, and so on.

Additional Resources

Additional Information related to MuleSoft Connector.

API Reference

Here are the APIs executed for the MuleSoft connection.

Operation	API Endpoint
Login	https://anypoint.mulesoft.com/accounts/login
Get Active Organizations	https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/ active
Get Environments	https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/ {{orgId}}/environments
List APIs	https://anypoint.mulesoft.com/apimanager/api/v1/organizations/ {{orgId}}/environments/{{envId}}/apis
Get API Details	https://anypoint.mulesoft.com/exchange/api/v2/assets/ {{orgId}}/{{assetId}}/asset/
Download Swagger	https://exchange2-asset-manager-kprod.s3.amazonaws.com/... (dynamic path per asset)

Data Model Map

This section explains the attribute mappings of the values from MuleSoft and Qualys TotalAppSec.