Skip to main content

How to set up a "Full Scan"?

This section only applies when you choose the Full Scan-Scope during the setup process. For the invasive scanners, you need verify the target to confirm that you can access or that you own the application.

Before starting the scanners, you need to verify that the application belongs to you - by uploading a text file to the root directory of the URL.

You will see the lock if you need to verify the project. Otherwise, you will see the start scan.

This is necessary to validate that you have access rights to the domain and are legally allowed to perform security scans.

How to verify

There are three possible ways to verify a project:

  1. File upload
  2. API endpoints
  3. DNS record
  4. Manual verification (only in the professional package)

File upload

You must download the verification file, in HTML format, to verify a project with a file upload. This file contains a unique and secure hash. Upload the file to be available under the root directory of the URL you entered when creating the project. Your project setting displays your specific path.

After you have uploaded this file, you can initiate the verification. Afterward, your project is ready to scan.

API endpoints

To verify using API endpoints, update your API to include any of the following GET statements. Replace with your API domain and XXXXX with your specific value that you can retrieve from the software.


Any API endpoints listed above should return the project verification hash, which you can copy into the software.

DNS record

To verify using a DNS record, create a TXT record under the target domain and set the verification hash as a value.

Manual verification

If the automatic verification options are not possible for you, contact Veracode Technical Support for help with verifying your project.

If your project is protected by HTTP Basic Authentication (htaccess protection), you need to configure the username and password in the project settings before trying to verify the project.