Understanding API Access

Veracode APIs

To be able to access the Veracode APIs, you must have either a user account or API service account with the required user roles for performing specific API tasks.

Note: Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.

You configure API user roles and permissions on the User Account page in the Veracode Platform. To use the Admin or Archer Report XML APIs, you must have the API Service Account checkbox selected (API service account) and the respective API user roles selected in the Login Settings section of the User Account page in the Veracode Platform.

You must have the Administrator or Team Admin role to create API service accounts. Ensure you access the APIs with the domain for your region.

Ensure that your IP address is in the list or range of addresses in the Allowed IP Addresses field of your user account login settings. If the IP range is set incorrectly, edit the Allowed IP Addresses field to include the IP address of the location of your login.

You can restrict API service accounts to teams, limiting their access to only data for applications that are associated with that team. Select Restrict to Selected Teams and, then, choose the appropriate team. You can also restrict users to scan types, limiting them to performing static, dynamic, or Manual Penetration Testing scans.

If you intend to use the Admin API to create a new user account, you have to pass the role parameters as well as the scan type permissions. For a user account, the role parameters (case-sensitive) are Administrator, Creator, Executive, Mitigation Approver, Policy Administrator, Reviewer, Security Lead, Submitter, Security Insights, and Veracode eLearning. The scan permission types are: Static Scan, Dynamic Scan, Manual Scan, Discovery Scan, DynamicMP Scan or All Scan Types.

Team Administrators can grant only these API roles to users they manage: Results API, Upload and Scan API, Mitigation API, Upload API - Submit Only, and Greenlight API.

When the visibility for an application is set to Teams & Security Leads, before a user account can access the application using the Veracode APIs, that account must have the Reviewer, Creator, or Submitter user roles and be a member of the specified team.