Skip to main content

Crashtest Security API


Veracode has deprecated the Crashtest Security API and is no longer updating it. For support, contact Veracode Technical Support.

The Crashtest Security API provides several features for you to run dynamic analysis scans without human interaction, such as a user selecting from the interface. For example, you could set up targets and starts scans for systems that need to update data dynamically.

You can use the Crashtest API to do the following:

  • Targets (projects)
    • Create a target
    • Delete a target
  • Scans
    • Start a new scan for a target
    • Stop a running Scan
    • Retrieve the status of a scan
    • Retrieve the finding for a scan (PDF, XML, JSON)

Permissions and authentication

Before you can use this API, you must have:

  • A Veracode user account with the Team Admin or Security Engineer role.
  • An API key. The API key is attached to your user account and has the same permissions as your assigned role. You can request an API key from Veracode Technical Support.

You add the API key as either a Header attribute or a GET parameter in the URL of your request. For details, see AUTHORIZATIONS in the API specification. The API key for DAST Essentials is separate from the API credentials you use with other Veracode products.

Attach the API key

There are multiple ways of attaching the key. It can either be attached to the URL as a parameter or used as a header field within the request. Both versions allow the "api_key" attribute to be either fully lower or upper case.

As a parameter in the URL:{my_secret_key}{my_secret_key}

As a header attribute:

API_KEY: {my_secret_key}
api_key: {my_secret_key}

Crashtest IDs

For most requests, it is necessary to have some IDs in advance. An ID is a unique identifier that clarifies which team and target you want to update.

Team ID

The team ID can be retrieved from the Local Storage of the browser or by requesting from Veracode Technical Support.

To find the local storage for your browser, open the developer tools.

  1. Select the Application tab.
  2. Select the local storage for
  3. Check the user entry for the active_team_id.

This value updates and represents the newly selected team when switching between different teams.

Target ID

There are two ways of retrieving the ID of a target (project).

If the target is created using the API, the response of the create API call contains the target ID.

Project ID from API Response

Obtain the target ID from the URL that points to the target. For example, in your browser you see a URL similar to the following:`  

In this example, the project ID is 123.

Scan ID

When starting a scan using the API, the response of the call contains the ID of the scan:

Scan ID from API Response

If the API call to start a new scan is used while another scan for the same target is already running, the API call returns the ID of the running scan.

Crashtest Security API specification

The Crashtest Security API specification is available from SwaggerHub.