Frequently Asked Questions (FAQ)


This section contains the answers to common questions about the Veracode XML APIs, plugins, and REST APIs.

XML API and Veracode Plugin FAQ

Question Answer
Why does Veracode not use basic authentication with username and passwords for API integrations? Veracode uses the Veracode API ID and key with HMAC signing because this method provides maximum protection against man-in-the-middle and session replay attacks.
Does Veracode Static for Eclipse work with other Eclipse-derived IDEs? Veracode Static for Eclipse may run on Eclipse-derived IDEs like Spring Suite, but Veracode does not provide support for these IDEs.
How do I check prescan results in the API? Prescans usually complete very quickly and you receive email notifications when they complete. If you want to check for prescan results using the Upload API, use the call.
How do I use the API to query tags in the Results API? If you want to query tags in applications, you can add unique tags as metadata when creating your applications. You can then query your applications based on any of the metadata. Use to create an application with metadata. Use the following calls of the Results API to get the scan results of applications: to get the full list of your applications and then to get information for a specific application, including any metadata, if applicable. To get a detailed report for any application, call, which returns the results in an XML document.
How does Veracode ensure secure communication when making API calls to the Veracode Platform? Using the Veracode API ID and key credentials ensures the most secure communication when using APIs. Security features include HMAC signatures to ensure the identity of the requester, a nonce to prevent replay attacks, and the ability to revoke API ID and key pairs if they are ever compromised.

When using user credentials, Veracode uses TLS 1.2 or later for both the IDE plugins and for the Veracode XML APIs, which ensures that data transmitted between your client and the Veracode Platform is encrypted and secure.

How do I run an API scan if there are "unsupported frameworks" warnings in my prescan results? If you want to ensure the scan completes even though there are non-fatal errors such as unsupported frameworks, ensure you use the scan_all_top_level_modules parameter when you use the call. Alternately, you can use scan_selected_modules, scan_previously_selected_modules, or modules with a list of module IDs, returned by the prescan.


Question Answer
I want to use HMAC signing but I am not using Java. What are my options? You can do one of the following: