Usage

Instrumented containers have CMD set to jockey-executables. Thus you can run the scan either by running jockey script itself or the docker container, their specs are equivalent.

# Adjust __HOSTPATH__ and __IMAGE_NAME__ according to
#   - desired working dir (scan config and output goes there)
#   - which scan type/tool is supposed
docker run --rm -d \
  -v __HOSTPATH__:/wrk/:rw \
  __IMAGE_NAME__  \
    -i /wrk/scanrequest.json

WebAPI (ref. OpenAPI in the sidebar) is an adapter to the jockeys also implementing additional layer of scan-job dispatching and output organization.

Scan request specification (see also json-schema there) is same for jockeys and for webAPI:

sr-min.json

{
  "endpoints": ["example.com"]
}

sr-for-webapp-dast.json

{
  "endpoints": ["example.com"],
  "headers": [
    ["Authorization", "Basic eW86eW8="],
    ["X-Tenant", "Custom"]
  ]
}

sr-for-api-fuzzing.json

{
  "endpoints": ["example.com"],
  "headers": [
    ["Authorization", "Basic eW86eW8="],
    ["X-Tenant", "Custom"]
  ],
  "oas": {"file": "/wrk/openapi.json"}
}