Configure scanner variables

You create scanner variables in the Veracode Platform to define information that you can reference in your login scripts for web application scans. The variables consist of a reference key and value. You typically create scanner variables that define URL sign in credentials you want to keep safe and reuse in multiple scripts.

You can also configure and reference variables with the REST API.

If you use scriptable request modification (SRM) authentication for API scans, you could reference the variables in your SRM scripts.

Create a scanner variable

Before you begin:

If you want to create a variable that defines a time-based one-time password (TOTP) secret for signing in to a URL that requires multifactor authentication (MFA), ensure you have the TOTP secret.

To complete this task:

1. In the Veracode Platform, create an analysis or configure an existing analysis for a web application.
2. On the Configure or Edit Configure page, in the URLs to Scan table, locate a URL, then select Configure .
3. In the Configure window, expand Scanner Variables.
4. For Reference Key, enter the variable key. For example, My_password_key.
5. For Value, enter the variable value. When the login script runs the command that references the variable, it passes this value.
6. To indicate that the variable defines a TOTP secret for multifactor authentication, select TOTP seed.
7. Optionally, to add additional variables, select Add Variable.

Reference a variable in a login script

Before you begin:

• You have created a scanner variable.
• You have a login script. To create a script from a template, you can use the example scripts.

To complete this task:

1. Open your login script in the Selenium IDE or a code editor.

2. Add a command or edit an existing command in which you want to reference the scanner variable.

3. For the command value, enter the scanner variable reference key as $(My_variable_key), where My_variable_key is the reference key name. The value must match the value in the Reference Key field under Scanner Variables in the Veracode Platform.

   For example, in this example script, the referenced variable ${TOTP_SECRET} defines the TOTP secret for a URL that requires multifactor authentication. That command uses the variable to type the TOTP secret on the sign in page of a web application.

4. Save your Selenium project or login script.

5. When the login script is complete, you can upload it to the Veracode Platform.

Obtain a TOTP secret

Before you begin:

• You have installed and configured a multifactor authentication tool for the URLs you want to scan.

To complete this task:

1. Sign in to your web application. A window opens and displays your authentication code or a QR code.
2. Locate the TOTP secret. For help with locating the TOTP secret, see the documentation for your authentication tool.
3. Copy the TOTP secret and add it to your scanner variable or save it to a secure, temporary location.