Skip to main content

Scan web applications

Use Dynamic Analysis in the Veracode Platform, or using the REST API, to test the security of your web applications. You can also integrate the analysis with your development pipeline. The scans crawl one or more URLs and analyze all components and assets of the application. The results identify the vulnerabilities you might need to fix.

For an improved experience, we recommend using DAST. See the quickstart.

Create an analysis

Create an analysis in the Veracode Platform to specify the URLs to scan. Depending on the authentication requirements for accessing each URL, you can configure the scans as authenticated or unauthenticated. If your application is behind a firewall, and not accessible to the public internet, you must set up Veracode Internal Scanning Management (ISM).

You can also create an analysis using the REST API.

Before you begin:

note

Running Dynamic Analysis scans through a VPN is not supported.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Dynamic Analysis. The All Dynamic Analyses page opens.

  2. Select Scan Web Applications.

  3. Enter a name for the Dynamic Analysis. Use a name that uniquely identifies the analysis within your organization. For example, use the scan name, the team, or business unit responsible for this web application as the name of the Dynamic Analysis.

  4. Enter the URLs using one of the following methods:

    • Upload a CSV file that contains a list of multiple URLs (250 maximum). Download the CSV template, enter all URLs and their respective credentials, save the file, and upload the saved file.
    • Enter the URLs manually (250 maximum). As you enter the URLs, they appear in the URLs to Scan list.

  5. From Actions at the end of each URL row, you can link to an application profile or delete the URL from the Dynamic Analysis.

  6. In the Visibility Settings section, select the teams who can see the results of the analysis. Visibility settings apply to all URL scans in the analysis.

  7. Optionally, in the Organization Information section, select the business unit associated with the applications you are scanning and the name and email address of the person responsible for the applications.

  8. In the Scanning Certification section, you must select the checkbox to confirm that your organization has the right to scan the URLs you have provided.

  9. To configure the analysis, select Configure.

  10. To edit a specific URL configuration or configure authentication methods for accessing each URL, select at the end of URL row. If your analysis has several URLs, use the search box to find the one you want to configure.

  11. To link a URL to an application profile, select . With the results linked, you can access results from multiple scan types for the same application, and review aggregated results from all scans in the Dynamic Analysis Coverage Report.

  12. To create a blocklist of URLs to exclude from scanning, under Dynamic Analysis Blocklist, select Exclude the following URLs. Enter the filepath or directory path of the URLs you want to exclude from this analysis. If you enter a directory path, everything in that directory and its subdirectories are excluded. You must include the slash at the end of the URL for the analysis to consider it a directory instead of a file.

    For example, if you add a blocklist entry of http://example.com/help/, the configuration blocklists the /help directory and anything under it, including:

    • /help/page1.html
    • /help/page2.html
    • /help/more/page3.html
    • /help/more/page4.html

    If you add a blocklist entry of http://example.com/help, the configuration blocklists this single page and nothing else. The URL-level blocklist takes precedence over this analysis-level blocklist, therefore, any additional URLs you enter on the URL-level blocklist during this configuration step are also excluded.

  13. To ensure we can scan the entire application, select Allowlist and add the allowed URLs.

    By default, we scan all subdirectories under the top-level domain. Because we do not automatically scan the subdomains, you can include them in the scope of the scan by adding them on the Allowlist tab. To change the scope of the scan, add a subdirectory to a URL. For example, if you add https://api.example.com/mydir/v1, the subdirectory /mydir/v1 in the subdomain api is now in scope. If you want to scan all subdirectories under api, omit the subdirectory and add https://api.example.com. We recommend that you only add the specific subdirectories that you want to scan instead of adding the entire directory.

  14. Optionally, to configure a user agent that scans using a specific web browser, expand Dynamic Analysis User Agent. The user agent is a string of browser-specific text in the header that the scan engine uses during scanning. The agent string defines which browsers and devices you want to include in the scope of the analysis. If available, select the required browser. If the browser you want is not available, select Custom and enter the custom string. In the User Agent String field, use browser-specific formatting to add any additional custom text to the prepopulated string to identify the browser source.

  15. To schedule the analysis, including whether to run a prescan before running the scan, select Schedule.

    By default, your Dynamic Analysis is not scheduled. To review the schedule of any Dynamic Analysis, select the clock icon in the row for that Dynamic Analysis on the All Dynamic Analyses page.

    To verify that the scan can successfully reach and, if required, authenticate with each URL, a prescan scans all URLs. You can schedule the analysis to run at a date up to 90 days in the future (60 days for internal scans).

  16. To submit the analysis, select Review and Submit. The analysis starts immediately or runs on the defined schedule.

  17. To see all scans and their statuses, go to the All Dynamic Analyses page.

Last updated on