veracode dynamic
Perform a Dynamic Analysis of a web application or REST API, check the status of an analysis, and review the results of an analysis.
To use these commands, you must create at least one target using DAST Essentials in the Veracode Platform. Targets define the URLs of the web applications or REST APIs you want to scan. You can run multiple analyses in the same target, referred to as analysis runs.
Commands
| Command | Description |
|---|---|
scan | Runs an analysis in the specified target and outputs the discovered vulnerabilities. |
status | Returns the status of an analysis run. |
results | Returns the results of an analysis run. |
veracode dynamic scan
Runs an analysis and outputs the discovered vulnerabilities. Make a note of the numeric analysis run ID listed in the output. You provide the analysis run ID when you run the commands veracode dynamic status or veracode dynamic results.
Usage
./veracode dynamic scan --webhook <string> [flags]
Flags
| Flag | Description |
|---|---|
--api-spec-file | Path to a REST API specification file, in JSON or YAML format, on the local file system. The analysis scans the endpoints defined in this file. If not specified, the analysis uses the API specification file uploaded to the target in the Veracode Platform. |
--app-auth-username | For standard or form-based authentication, the username to sign in to the application. |
--app-auth-password | Required if you include --app-auth-username. For standard or form-based authentication, the password to sign in to the application. |
--app-auth-url | Required if you include --app-auth-username and --app-auth-password. For form-based authentication, enter the URL to the sign-in form. |
--background | Run the analysis silently and do not display the status. |
--basic-auth-username | For HTTP basic authentication, the username to sign in to the application. |
--basic-auth-password | For HTTP basic authentication, the username to sign in to the application. |
--fail-on-severity | Fail the command based on one or more severity levels of the discovered vulnerabilities. Values are: CriticalHighMediumLowInformationalThe default is Informational. |
-h, --help | Show help for this command. |
--param-auth-type | Required if you include --param-auth-key and --param-auth-value. For parameter authentication, the configuration type. Values are: HTTP_HEADERCOOKIEGET_PARAMETERSESSION_STORAGELOCAL_STORAGE |
--param-auth-key | Required if you include --param-auth-type and --param-auth-value. For parameter authentication, the key name. |
--param-auth-value | Required if you include --param-auth-type and --param-auth-key. For parameter authentication, the key value. |
--payload-file | Path to a custom payload file, in JSON format, on the local file system. |
-w, --webook | Required. The webhook UUID of the target that contains the analysis run. For example, 290c0aa5-5554-4f9b-b564-9544f9fb7323. To generate a webhook UUID, use the target configuration options in the Veracode Platform. |
Examples
To run an analysis, run:
./veracode dynamic scan --webhook 290c0aa5-5554-4f9b-b564-9544f9fb7323
To run an analysis and change a form-based authentication configuration, run:
./veracode dynamic scan -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 --app-auth-username [email protected] --app-auth-password rand0m123 --app-auth-url https://app.yourodmain.tld/login
To run an analysis and change a parameter authentication configuration, run:
./veracode dynamic scan -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 --param-auth-type COOKIE --param-auth-key gdpr_overlay --param-auth-value false
To run an analysis and change multiple settings of a parameter authentication configuration, run:
./veracode dynamic scan -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 --param-auth-type COOKIE --param-auth-key gdpr_overlay --param-auth-value false --param-auth-type GET_PARAMETER --param-auth-key auth_provider --param-auth-value local
To run an analysis on a REST API using a local API specification file, run:
./veracode dynamic scan -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 --api-spec-file ./swagger.json
veracode dynamic status
Returns the status of an analysis run.
Usage
./veracode dynamic status --analysis-run-id <integer> --webhook <string> [flags]
Flags
| Flag | Description |
|---|---|
-a, --analysis-run-id | Required. The numeric ID of the analysis run. The ID is listed in the output of the command veracode dynamic scan. In the following output examples, the ID is 18063: Starting Dynamic Scan with analysis run ID: 18063, Scan complete: analysis run ID 18063. |
-w, --webook | Required. The webhook UUID of the target that contains the analysis run. For example, 290c0aa5-5554-4f9b-b564-9544f9fb7323. To generate a webhook UUID, use the target configuration options in the Veracode Platform. |
Example
To return the status of an analysis run, run:
./veracode dynamic status -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 -a 18063
veracode dynamic results
Returns the results of an analysis run.
Usage
./veracode dynamic results --webhook <string> --analysis-run-id <integer> [flags]
Flags
| Flag | Description |
|---|---|
-w, --webook | Required. The webhook UUID of the target that contains the analysis run. For example, 290c0aa5-5554-4f9b-b564-9544f9fb7323. To generate a webhook UUID, use the target configuration options in the Veracode Platform. |
-a, --analysis-run-id | Required. The numeric ID of the analysis run. The ID is listed in the output of the command veracode dynamic scan. In the following output examples, the ID is 18063: Starting Dynamic Scan with analysis run ID: 18063, Scan complete: analysis run ID 18063. |
--format | Optional. Format of the results output. Values are: jsonjunitpdf By default, the results are listed in the command prompt window and saved as JSON in the current directory. If you enter junit or pdf, by default, the results are saved as ./results.xml or ./results.pdf. |
--output | Optional. Path and filename of the results output. By default, the output file is results.json in the current directory. To change the file format and extension, include --format. |
Examples
To print the results in the command prompt window, run:
./veracode dynamic results -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 -a 18063
To output the results in JUnit format, run:
./veracode dynamic results -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 -a 18063 --format junit --output ./my_results.xml
To output the results in PDF format, run:
./veracode dynamic results -w 290c0aa5-5554-4f9b-b564-9544f9fb7323 -a 18063 --format pdf --output ./my_results.pdf