Skip to main content

Scan APIs

Use DAST Essentials Enterprise mode to configure authentication for API scans using scanner variables, client certificates, Scriptable Request Modification (SRM), and the OAuth 2.0 protocol to perform thorough scans of the APIs. The findings highlight vulnerabilities that need prompt attention for resolution.

Create a scan

Create an API specification scan in the Veracode Platform in DAST Essentials to perform a scan of the following:

  • Endpoints in one or more API specifications
  • Requests in one or more Postman Collections

You can also scan APIs with the DAST Essentials REST API.

Before you begin:

  • You must have a DAST Essentials license.
  • You must have a Veracode account. Any member of the team associated with DAST Essentials is able to view the analysis and its results.
  • You must have an API specification that you want to scan, permissions to scan it, and any required authentication information. You can either provide a URL where an API specification is hosted or upload an API specification file. API specifications must be in one of the following formats:
    • OpenAPI (well-formed and uncompressed YAML or JSON)
    • HTTP Archive (HAR)
    • Postman Collection
  • For OpenAPI specifications and Postman Collections, you must have the base URL where the API for your specification is hosted. All scans of the specification will use this URL as an allowed host and ignore requests to other hosts. For more information, see API specification management.
  • For Postman Collections, if you have defined variables in Postman environments, you must manually add the variables from the environment files to the variable field in your Postman Collections.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Select ADD TARGET.
  4. Select An API.
  5. Select Next.
  6. For Target Name, enter a name for the analysis. Ensure the name is unique to your organization and provides a human-readable description of the analysis.
  7. For Protocol, select the required option.
  8. For URL or IPv4, enter the base URL.
  9. For Team, select a team from the options available.
  10. Select Enterprise mode.
  11. Select NEXT.
  12. To enter the URL of the hosted API specification file, select URL and add the URL in the API SPECIFICATION FILE URL field. To upload an API specification file, select Upload.
    note

    The duration of the file upload varies depending on the size of the API specification file. Also, Veracode Platform displays messages if there are issues with the specification, such as unsupported file format, invalid syntax, or an issue with the relative URL.

  13. To certify that your organization has the right to scan the content, select the checkbox.
  14. Select CREATE TARGET.

Configure a scan

After you create an API specification scan in the Veracode Platform in DAST Essentials, you can configure the API specification. Use Internal Scanning Management (ISM) if the server is behind a firewall.

Before you begin:

  • You must have a Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the API scan can view the analysis and its results.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the target you want to configure. In the Actions column, select Configure.
  4. Select the API Specification tab. In the API Specification Information section, you configure the endpoints.
  5. In the table, in the Scope column, select one among the following:
    • Include: The scan includes the endpoint or request. By default, the scan includes all endpoints or requests.
    • Exclude: The scan excludes the endpoint or request. The scanners do not send requests to the excluded endpoints or requests.
    • Ignore (for Postman Collections only): The scan sends the request but does not detect vulnerabilities for it. The scanners send the request and run pre-processing or post-processing in the Postman Collection. For example, you might want to ignore a request that you do not want to scan, but that request is a dependency of another request that you do want to scan.
  6. In the Duration tab, you configure the maximum scan duration.
  7. In the Scanners tab, you select the scanners that should be executed for this API specification scan and exclude the ones that you do not want to execute.
  8. In the Authentication tab, you configure the authentication methods that the analysis uses to access your URLs.
  9. In the Automation tab, you create a schedule to run the analysis.
  10. Use ISM to access internal servers that are behind a firewall or not exposed to the public internet.
  11. Select SAVE. All the configuration changes that you save will take effect with the next scan.

Manage an API specification

After you create an API specification scan in the Veracode Platform in DAST Essentials, you can manage the API specification.

Before you begin:

  • You must have a Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the API scan can view the analysis and its results.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the target you want to configure. In the Actions column, select Configure.
  4. Select the API Specification tab. To change the URL, in the API Specification section, select URL. To upload a different API specification file, in the API Specification section, select Upload.
  5. In the API Specification Information section, configure a scope of endpoints to include, exclude, or ignore (for Postman Collections) in the analysis run.
  6. Select SAVE.

Review the scan results

Review the history of your API specification scans or Postman Collections after you run an analysis run in the Veracode Platform in DAST Essentials Enterprise mode. The results indicate whether Veracode has successfully scanned your APIs and, if required, authenticated with the target server for each API endpoint or request included in the analysis run.

Before you begin:

  • A Veracode account with the Creator, Submitter, or Security Lead role. Any member of the team associated with the API scan can view the analysis and its results.
  • You have created an API specification scan and run it.
  • The analysis run must have finished.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > DAST Essentials.
  3. Locate the target for which you want to review and select the target using the hyperlink.
  4. To review the API specification scan, in the Url column of the table, select the hyperlink.