Skip to main content

Dynamic Analysis REST API

You can use the Dynamic Analysis API to automate major dynamic scanning tasks.

This API enables you to programmatically initiate dynamic scanning with the flexibility necessary for incorporating this type of security scanning into your Software Development Life Cycle.

The API endpoints perform these tasks:

  • Create analyses with URL scans
  • Configure analyses and URL scans
  • Schedule and run analyses
  • Link analyses to Veracode application profiles

After completing a dynamic analysis scan, you can use the Findings API to get information on a discovered flaw.


This API does not support DAST Essentials.

Permissions and authentication

To be able to use the Veracode Dynamic Analysis REST API, you must have one of these accounts with the required roles:

  • An API service account with the Upload and Scan API role.
  • A user account with the Security Lead, Creator, or Submitter role.

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

Ensure you access the APIs with the domain for your region.

Dynamic Analysis API specification

The Dynamic Analysis API specification is available from SwaggerHub.

Authentication errors

To see authentication errors for the Dynamic Analysis REST API, send:

http --auth-type=veracode_hmac GET

Scan APIs with the Dynamic Analysis REST API

By default, any POST or PUT request to the Dynamic Analysis REST API assumes that the target is a web application. For a Dynamic Analysis scan of APIs, append the scan_type=API_SCAN query parameter to your POST or PUT request. For example:

http --auth-type=veracode_hmac POST "" < input.json

To scan web applications, exclude this parameter or change it to scan_type=WEB_SCAN.