Example Scripts for Scriptable Request Modification Authentication

Getting Started with Veracode API Scanning

Publication
Getting Started with Veracode API Scanning
Edition date
2023-02-03
Last publication
2023-02-03T16:57:41.447106

Veracode API Scanning supports scriptable request modification (SRM) that enables you to modify API requests during authentication with remote hosts. To implement the SRM authentication option in your organization, you can use the example scripts in this section as a starting point.

After you create the script file, you save it as a plain text JavaScript file and upload it in the Veracode Platform when configuring authentication for API Scanning. When you submit a scan request, Veracode does a one-time evaluation of the script to ensure it is valid and free of any errors.

SRM Script Requirements

SRM scripts have access to standard ECMAScript syntax, which is commonly referred to as JavaScript, but cannot load any external libraries. The scripts can reference and set objects in the global scope and these values are accessible to all requests. For example, a script can define constants that it reuses, or save a value during one request and then retrieve that value during a future request.

Initial Function

The script must define one initial function named run() that accepts no parameters and returns no value. At runtime, every request calls this function one time. For example:

function run() {
    // modification logic goes here
}

Global Object and Scope

The script context has a reference to a global object named vc. The vc object contains the values of any user-defined credentials variables within an object named variables. This example extracts the value mapped to a credentials variable with the name API_KEY to a script variable named key:

function run() {
    let key = vc.variables['API_KEY'];
}

When the run() function is called, the current request is accessible in the global scope as a variable named request. The script can extract the properties of the request from this object:

function run() {
    let headers = request.headers();
    let uri = request.uri();
}