Skip to main content

Scan APIs

You use API Scanning in the Veracode Platform or with the REST API to perform a Dynamic Analysis of your REST APIs. To assess the security posture of the API, API Scanning crawls and analyzes the API endpoints in a specification file or the requests in a Postman Collection. The results identify the vulnerabilities you might need to fix.

You can also scan web applications and APIs with DAST Essentials.

In the Veracode Platform, you create a Dynamic Analysis and upload or select the API specification or Postman Collection you want to analyze. An analysis can contain a maximum of 250 specifications.

If you want to try API Scanning, but you do not have an OpenAPI 3.0 or 2.0 specification, you can create an HTTP Archive (HAR) file using several free tools, such as Chrome Developer Tools. To reduce extraneous traffic, such as third-party traffic, you can select Fetch/XHR to apply filtering before exporting the HAR.

To learn more about API specification support and how API Scanning processes these files during analysis, see About API specification scans.

Licensing for API Scanning

API Scanning requires a Dynamic Analysis license. To determine the number of API specifications or Postman Collections you can scan, Veracode uses the target URLs in your license. Each target URL equates to a unique API server defined in your specifications. When you upload a specification in the Veracode Platform, it imports the URLs of the defined API servers. When you upload a Postman Collection, you must add a custom base URL. The scanners use the custom base URL as the target URL and only scan requests that use the target URL.

During a specification scan, Veracode detects the target API server and deducts it from the number of target URLs available in your license. If a specification has multiple servers defined, you can select the server you want to use when configuring the scan. If you scan a specification using a defined server and then scan that same specification using a different server, Veracode treats both servers as separate target URLs and deducts both target URLs from your license.

Ensure your Dynamic Analysis license has an adequate number of target URLs for the number of API specifications you want to scan. To obtain or change a Dynamic Analysis license, contact your Veracode sales representative.