Skip to main content


You can use the SCA REST API to retrieve, delete, insert, or update data related to Agent-Based Scanning. You can also query Veracode's vulnerability database, annotate SCA upload findings, and generate SBOMs.

Permissions and authentication

Before you can use this API, you must have a user account. API service accounts cannot access this API.

This API uses API ID/key credentials and HMAC authentication to provide improved security. Before you can send requests, you must complete these configurations:

Ensure you access the APIs with the domain for your region.

Required HTTP headers

The Veracode SCA API requires that you set these HTTP headers in the REST requests:

  • accept-encoding: gzip
  • user-agent: a value of your choice. Veracode recommends a company name, email domain, or application name.

SCA API specification

The API specification is available on SwaggerHub.