Configure authentication methods for API scans

Veracode supports several authentication methods for scanning your APIs. You can configure these methods in the Veracode Platform to allow access for scanning your APIs.

Configure scanner variables

You configure a scanner variable in the Veracode Platform to define information that you can reference in your login scripts for API scans.

Configure client certificates

Add a client certificate if your API requires a certificate to authenticate with servers configured with TLS authentication. API scans respond to certificate requests from matching issuers using the configured client certificate.

Configure OAuth 2.0

You configure OAuth 2.0 protocol to authenticate with servers to scan the API in the Veracode Platform. Veracode sends all authorization data as an HTTP Authorization Header.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > DAST Essentials.
3. Locate the target you want to configure. In the Actions column, select Configure.
4. Select the Authentication tab.
5. In the Enterprise mode authentication settings section, under OAuth 2.0, select Grant Type.
6. If you select the Client Credentials grant type, you can select the Use OpenID Connect checkbox to use OAuth 2.0 with OpenID Connect. Then, in the OpenID Connect URL field, enter the URL of the authentication server.
7. Optionally, you can add Scope. If you need to use multiple values for Scope, separate each value with a space.

Configure Scriptable Request Modification (SRM)

When you configure an API specification scan, you can upload an SRM script to modify API requests for remote host authentication.

Before you begin:

• Review SRM script requirements.
• For references, see example SRM scripts for Hash-based Message Authentication Code (HMAC) signing and for OAuth token authorization.

To complete this task:

1. Save the SRM script as a plain text JavaScript file.
2. Create an API target. On the API Specification page, upload the JavaScript file when creating the API target. When you request a scan, Veracode performs a one-time evaluation of the script to verify its validity and ensures it is error-free.