About API specification scans
Use API Scanning in the Veracode Platform or with the REST API to perform a DAST Essentials scan of your REST APIs. To assess the security posture of your APIs, API Scanning crawls and analyzes the endpoints defined in specification files or Postman Collections. The results identify vulnerabilities that might require remediation.
In the Veracode Platform, create a target for DAST Essentials and upload or select the API specification or Postman Collection you want to analyze. An analysis can contain a maximum of 250 specifications.
To try API Scanning without an OpenAPI 3.0 or 2.0 specification, create an HTTP Archive (HAR) file using a free tool, such as Chrome Developer Tools. To reduce extraneous traffic—such as third-party requests—select Fetch/XHR to apply filtering before exporting the HAR.
To learn more about API specification support and how API Scanning processes these files during analysis, see About API specification scans.
License to scan APIs
DAST Essentials requires a license to scan APIs. Veracode calculates the number of API specifications or Postman Collections you can scan based on the number of target URLs included in your license. Each target URL represents a unique API server defined in your specifications. When you upload a specification in the Veracode Platform, it imports the URLs of the defined API servers. When you upload a Postman Collection, you must specify a custom base URL. Veracode uses this base URL as the target and only scans requests that reference it.
During a specification scan, Veracode detects the target API server and deducts it from the number of target URLs available in your license. If a specification has multiple servers defined, you can select the server you want to use when configuring the scan. If you scan a specification using a defined server and then scan that same specification using a different server, Veracode treats both servers as separate target URLs and deducts both target URLs from your license.
Ensure your DAST Essentials license includes a sufficient number of target URLs for the API specifications you plan to scan. To obtain or modify a license, contact your Veracode sales representative.