You can use the Dynamic Analysis API to automate major dynamic scanning tasks.
This API enables you to programmatically initiate dynamic scanning with the flexibility necessary for incorporating this type of security scanning into your Software Development Life Cycle.
The API endpoints perform these tasks:
- Create analyses with URL scans
- Configure analyses and URL scans
- Schedule and run analyses
- Link analyses to Veracode application profiles
After completing a dynamic analysis scan, you can use the Findings API to get information on a discovered flaw.
Permissions and authentication
To be able to use the Veracode Dynamic Analysis REST API, you must have one of these accounts with the required roles:
- An API service account with the Upload and Scan API role.
- A user account with the Security Lead, Creator, or Submitter role.
This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:
Ensure you access the APIs with the domain for your region.
Dynamic Analysis API specification
The Dynamic Analysis API specification is available from SwaggerHub.
To see authentication errors for the Dynamic Analysis REST API, send:
http --auth-type=veracode_hmac GET https://api.veracode.com/was/configservice/v1/code_groups/errorcode
Scan APIs with the Dynamic Analysis REST API
By default, any
PUT request to the Dynamic Analysis REST API assumes that the target is a web application. For a Dynamic Analysis scan of APIs, append the
scan_type=API_SCAN query parameter to your
PUT request. For example:
http --auth-type=veracode_hmac POST "https://api.veracode.com/was/configservice/v1/analyses?scan_type=API_SCAN" < input.json
To scan web applications, exclude this parameter or change it to