Skip to main content

How to verify a scan target

Why Is The Verification Required to Start The Full Scan?

The verification is required to confirm the ownership of the website (scan target). Since the full scanner is an invasive scan, it cannot be run until it is certain that you are the owner of the website or that it is the website of one of your customers.

This HTML file is just a hash key file. The scanner reads it to find a match, and only after that can the scanner start scanning.

There are four ways to verify your scan target:

  • File upload
  • API endpoints
  • DNS verification
  • Manual verification

Below are the steps and conditions for these four verification processes and some standard troubleshooting methods.

Verification with File Upload

Complete the following steps to complete the verification of the scan target.

  1. Download your verification file, which contains your confirmation code.
  2. Place the file in the root directory of your scan targets web server. For example, the file should be reachable at:
  3. Leave the file at this location. The file is checked before each security scan.
  4. Select Verify to start the verification.

Verification with API Endpoints

To verify using API endpoints, update your API to include any of the following GET statements:


Any API endpoints listed above should return the scan target verification hash.

Verification with a DNS Record

To verify using a DNS record, create a TXT record under the target domain and set the verification hash as a value.

Manual Verification with Customer Support

Contact Veracode Technical Support if the automatic verification options are not possible for you. This feature is usually available to Professional plan subscribers, but in some cases, you can contact Veracode to help you review and verify your scan target manually.

What should I do when I receive the Error Message: "Failed to verify the scan targets"?

First, check if the verification file has been uploaded correctly. If this is not the case, ensure the website is accessible to the scanner by the following:

  • The website should be publicly accessible.
  • If protected by a firewall, ensure that the required IP addresses are on your allowlist (check the IP addresses provided there).
  • The credentials must be first configured when the application has an HTTP Basic Authentication.

How should I interpret the error messages during my scans, and what should I do?

If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan runs, or after it finishes. For a detailed list of possible error names you can return, along with suggestions for the following steps to take to try and complete the scan, see Troubleshooting scan errors.