Skip to main content

Review API scanning prescan results

In the Veracode Platform, you can review the results of a prescan or full scan of your scanned API specifications or Postman Collections. The results indicate whether Veracode successfully reached and, if required, authenticated with the target server for each API endpoint or request included in the analysis.

If you ran a full Dynamic Analysis of your API specification, instead of a prescan, see Understanding the Dynamic Analysis Coverage Report.

Before you begin:

  • You have a Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the Dynamic Analysis is able to view the analysis and its results.
  • You have created an API specification scan and run a prescan.
  • The scan status must be Completed - Results Available.

To complete this task:

  1. Sign in to the Veracode Platform.

  2. Select Scans and Analysis > Dynamic Analysis.

  3. In the All Dynamic Analyses table, select the analysis name.

  4. Under API Specifications List, locate your specification.

  5. To view detailed information about a scan, in the Actions column, select either View Prescan Details or View Scan Details. On the scan details page, you can review the scan status and any scan configuration errors. For a prescan, you might need to correct these errors before you can run a full scan. It also provides authentication and connection information that each request uses to access your target API server.

  6. In the Request and Response section, review the endpoints or requests included in the scan. To ensure optimal performance, a prescan only includes the first 100 endpoints or requests from each specification or Postman Collection. Requests in error are highlighted red with an error code in the Response column. The prescan uses the traffic defined in the specification to:

    • Test the connectivity to the API server, particularly if the server is behind a firewall, and you have configured an Internal Scanning Management (ISM) gateway and endpoint.
    • Verify the authentication method for accessing the server. For example, a 401 in the Response column might indicate an authentication problem for that request.

  7. Optionally, to view configuration information about the API specification or Postman Collection you scanned, at the top of the page, select PRESCAN CONFIGURATION or SCAN CONFIGURATION. You can download the specification in its original format or, for OpenAPI 2.0 and 3.0, download the converted HAR file.

Last updated on