Using the Veracode XML APIs

Veracode APIs

Veracode provides both XML and REST APIs for automating application security testing tasks. The XML APIS are also available as wrappers. Veracode strongly recommends that you use the REST APIs. For new integrations, always use the REST APIs.

Veracode provides an XML API for every task involved in scanning with Veracode. These APIs and the wrappers enable you to automate most of the tasks involved in scanning your applications. Ensure you access the APIs with the domain for your region.

Note: Veracode APIs and integrations require access to analysiscenter.veracode.com and api.veracode.com. Contact your IT team to ensure these domains are on the allowlist for your organization and that there is one-way communication on port 443 to api.veracode.com. Refer to the complete list of domains and IP addresses to add to your allowlist.
API Wrappers
Veracode provides API wrappers for Java and C#. Veracode recommends using API wrappers when working with the Veracode XML APIs.
Upload API
Use the Upload API to automatically send new builds of your applications to the Veracode Platform for static analysis scans.
Results API
Use the Results API to get a list of available applications and retrieve detailed application results.
Mitigation and Comments API
Integrate flaw comments and mitigation workflow tasks into IDEs and bug tracking systems.
Admin API
Use the Admin API to create and manage users and teams in the Veracode Platform.
Flaw Report API
The Flaw Report API creates a report that lists all fixed and unfixed flaws for the specified applications and/or scan type.
VAST APIs
The Veracode VAST program has APIs for automating vendor and enterprise tasks.
Sandbox APIs
Use the Sandbox API calls to automate creating, updating, deleting, listing, and promoting development sandboxes.
Note: The XML API and the wrappers use a different syntax. For the wrappers, the parameter names omit the underscores, the parameter values omit spaces, and some parameters use different names. For example, the parameter app_id in the API is appid in the wrapper and the parameter value Very High in the API is VeryHigh in the wrapper. The parameter business_criticality in the API is criticality in the wrapper. The syntax is not interchangeable and using the wrong syntax causes your command to fail. To ensure you are using the correct syntax, see the documentation provided in the Help directory for each wrapper.