How to Use the Crashtest Security API
The API grants access to multiple features of the Crashtest Security Suite without human interaction, like clicking through the interface. For example, systems that need to update data dynamically can set up projects and start scans.
What do I need to use the API?
- To access the API, you must have an API Key. You can request a key from Veracode Technical Support. Each API Key is unique to a single user and allows the user to interact with the data stored in Crashtest Security Suite. After you assign the key to a user, you must include it in every API request.
- API specification.
Where do I have to attach the API Key?
There are multiple ways of attaching the key. It can either be attached to the URL as a parameter or used as a header field within the request. Both versions allow the "api_key" attribute to be either fully lower or upper case.
As a parameter in the URL:
As a header attribute:
What can I do with the API?
The API is based on the REST API format and allows sending GET, POST, and DELETE requests. All available operations with detailed specifications can be found here. As the API Key is assigned to the user, it can modify all teams of which the user is a member.
The same restrictions and permissions the user normally has, are also applied for the API.
For most requests, it is necessary to have some IDs in advance. An ID is a unique identifier that clarifies which team and project you want to update.
The team ID can be retrieved from the Local Storage of the browser or by requesting from Veracode Technical Support.
To find the local storage for your browser, open the developer tools.
- Select the Application tab.
- Select the local storage for
- Check the
userentry for the
This value updates and represent the newly selected team when switching between different teams.
There are two ways of retrieving the ID of a project.
If the project is created using the API, the response of the
createAPI call contains the project ID.
The project ID can be found by clicking on the User Interface on a single project. In your browser, you see a URL similar to the following.
In this example, the project ID is
When starting a scan using the API, the response of the call contains the ID of the scan:
If the API call to start a new scan is used while another scan for the same project is already running, the API call returns the ID of the running scan.
The API offers the following operations:
- Create a new project
- Delete a project
- Start a new scan for a project
- Stop a running Scan
- Retrieve the status of a scan
- Retrieve the finding for a scan (PDF, XML, JSON)