Skip to main content

Create a credentials variable for Dynamic Analysis login scripts with the REST API

Use the Dynamic Analysis API to update credentials fields in login scripts by creating a scan engine variable that the API uses at runtime.

With a variable login script you do not need to know the credentials for the application to which Dynamic Analysis is logging in, nor do you need to create a new login script every time the credentials values change.

You can also configure variables in the Veracode Platform.

See the example login scripts.

Example Python code for using the scan engine variables API feature is available from https://github.com/anon-veracoder/veracode-dynamic-analysis-api-examples.

To complete this task:

  1. Add the values for the description, value, and, optional, reference_key properties in the JSON file. The reference key is the value you use in your login script. Alternatively, you can use the scanner_variable_id that the API returns in response to a POST in your login scripts.

  2. Send the following request:

    http --auth-type=veracode_hmac POST "https://api.veracode.com/was/configservice/v1/scanner_variables" < input.json

    This is an example of how to create a new scan engine variable key-value pair:

    {
       "description": "Password key for my application",
       "reference_key": "MY_PASSWORD_KEY",
       "value": "Passw0rd123"
    }

    This example adds the totp property set to true to indicate that the value is a time-based one-time password (TOTP) secret. You use TOTP secrets to sign in to URLs that require multifactor authentication (MFA). See the example Selenium scripts.

    {
       "description": "Password key for my application",
       "reference_key": "MY_PASSWORD_KEY",
       "value": "Passw0rd123"
       "totp": true
    }

    This is an excerpt of a Selenium login script that references the key MY_PASSWORD_KEY. When the dynamic scan engine executes the login script, the value Passw0rd123 replaces the key ${MY_PASSWORD_KEY} at runtime. The login script does not return the key value, which remains hidden from users.

     {
      "name": "Name-of-Your-Dynamic-Analysis",
      "id": "5045080b-99ad-47e9-a8a6-7897bf4b5975",
      "comment": "",
      "request": "type",
      "target": "name=password",
      "targets": [
        [
          "name=password",
          "name"
        ],
        [
          "css=tr:nth-child(7) input:nth-child(2)",
          "css:finder"
        ],
        [
          "xpath=//input[@name='password']",
          "xpath:attributes"
        ],
        [
          "xpath=//tr[7]/td[2]/form/input[2]",
          "xpath:position"
        ]
      ],
      "value": "${MY_PASSWORD_KEY}"
    }
Last updated on