DAST Essentials REST API
You can use the DAST Essentials Target Configuration Service REST API to automate the tasks for running and managing analyses of web applications and REST APIs. You can use this API to programmatically run an analysis of a web application or REST API and integrate it into your Software Development Life Cycle (SDLC).
This API does not support analyses you create with Veracode Dynamic Analysis.
The API provides endpoints for creating, retrieving, updating, and deleting targets and analysis profiles.
The API endpoints perform the following tasks:
- Create targets
- Configure targets
- Schedule and run analyses on these targets
- Retrieve the latest analysis run results of a target
Permissions and authentication
Before you can use all endpoints of the DAST Essentials Target Configuration Service API, you must have one of the following accounts with the required roles:
- An API service account with the Upload and Scan API role.
- A user account with the Security Lead, Creator, or Submitter role.
To improve security, this API uses API ID/key credentials and HMAC authentication. Before you can send requests, you must complete the following configurations:
Ensure you access the APIs with the domain for your region.
DAST Essentials Target Configuration Service API specification
The DAST Essentials Target Configuration Service API specification is available from SwaggerHub.
Manage targets
A target represents either a web application or REST API you want to analyze with DAST Essentials. It contains required metadata, such as the target name, URLs to scan, the protocol type, and scan type. Depending on your user role, you can configure the target visibility to control which users or teams can access the target and results.
Create a target
To create a target, send the following request:
http --auth-type=veracode_hmac POST "http://api.veracode.com/dae/api/tcs-api/api/v1/targets" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"name": "My example web app",
"protocol": "HTTPS",
"url": "app.example.com",
"target_type": "WEB_APP",
"scan_type": "FULL",
"is_sec_lead_only": true
}
Retrieve a list of targets
To retrieve a list of all targets to which you have visibility, send the following request:
http --auth-type=veracode_hmac GET http://api.veracode.com/dae/api/tcs-api/api/v1/targets
To control the number of records returned, you can use pagination properties, such as page
and limit
.
Update a target
To update a target, send the following request:
http --auth-type=veracode_hmac PUT "https://api.veracode.com/dae/api/tcs-api/api/v1/targets/{target_id}" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"url": "updated.example.com"
}
Delete a target
To delete a target, send the following request:
http --auth-type=veracode_hmac DELETE https://api.veracode.com/dae/api/tcs-api/api/v1/targets/{target_id}
Manage analysis profiles
analysis profiles represent the configuration to be used during an analysis run. Every target has at least one corresponding analysis profile. analysis profiles control scope, coverage, duration, authentication and general behavior of an analysis.
You can use the following analysis profiles:
- Target
- System
Target analysis profiles are the analysis profiles directly associated with a target. They determine the behavior of analysis runs for their specific targets. Each target analysis profile is associated with a system analysis profile. System analysis profiles are pre-defined analysis profiles that determine default values and which values are editable at a target level. Target analysis profiles inherit settings from the associated system analysis profiles.
Retrieve an analysis profile
To retrieve an analysis profile for a target, send the following request:
http --auth-type=veracode_hmac GET https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles?target_id={target_id}
Update an analysis profile
To update an analysis profile for a target using an analysis profile ID, send the following request:
http --auth-type=veracode_hmac PUT "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{analysis_profile_id}" " < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"max_duration": 1000,
"allowed_urls": ["https://api.example.com", "https://auth.example.com"]
}
Manage scanners
To control which attacks and checks to execute on your target, you can configure a set of scanners for each analysis profile.
Retrieve scanners for an analysis profile
To retrieve the scanners for an analysis profile, send the following request:
http --auth-type=veracode_hmac GET "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{analysis_profile_id}/scanners"
Activate and deactivate scanners
To activate or deactivate scanners for an analysis profile, send the following request:
http --auth-type=veracode_hmac PUT "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{analysis_profile_id}/scanners" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"scanners": [
{
"id": "ssl",
"value": true
},
{
"id": "sql_injection",
"value": true
}
]
}
Run an analysis
To initiate a dynamic analysis run, send the following request:
http --auth-type=veracode_hmac POST "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_run" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"id": "{target_id}"
}
Retrieve an analysis run report
To retrieve the latest report for a target, send the following request:
http --auth-type=veracode_hmac GET https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_run/report/{target_id}
Manage schedules
To schedule a dynamic analysis run, send the following request:
http --auth-type=veracode_hmac POST "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{profile_id}/schedules" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"frequency": "daily",
"day": 0,
"weekday": 0,
"timezone": "America/New_York",
"time": "22:30"
}
Retrieve schedules for an analysis profile
To retrieve the schedules for an analysis profile, send the following request:
http --auth-type=veracode_hmac GET https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{profile_id}/schedules
Update a schedule for an analysis profile
To update a schedule for an analysis profile, send the following request:
http --auth-type=veracode_hmac PUT https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{profile_id}/schedules/{schedule_id}" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"time": "12:30",
"timezone": "America/New_York",
"frequency": "daily"
}
Run an authenticated analyses
To update the system authentication for an analysis profile to run an authenticated analyses, send the following request:
http --auth-type=veracode_hmac PUT "https://api.veracode.com/dae/api/tcs-api/api/v1/analysis_profiles/{analysis_profile_id}/system_authentication" < input.json
The API passes the JSON file that you populate with the necessary values as shown in this example payload:
{
"username": "{username}",
"password": "{password}"
}