API Tutorial: How to Scan an Application

APIs

This tutorial provides basic step-by-step information on how to use the Veracode Upload API to automate the scanning of an application using the cURL command line tool. This guide uses standalone HTTP request calls, but you can combine them in an API wrapper to process multiple API calls.

Note: Before starting with the APIs, ensure you have the correct permissions to use the APIs. Your Veracode user account must have API permissions to be able to access and use the APIs.
To configure and submit a scan request:
  1. Create an application profile for the application you want to scan by entering: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/5.0/createapp.do -F "app_name=<your application name>" -F "business_criticality=<enter level>".

    Where indicated, insert your username, password, application name, and level of business criticality of the application. Refer to the createapp.do call for more information on these parameters. The returned appinfo.xml file contains the application ID number, which you need when using other calls. If your application already exists, you can omit this step.

  2. Upload the file you want to scan by entering: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/5.0/uploadfile.do -F "app_id=<your app ID>" -F "file=@<your file name>"
    Where indicated, insert your username, password, application ID, and filename.
    Note: You must enter the @ symbol before the entire path, including the specific filename.

    Optionally, you can call createbuild.do if you want to name the scan.

  3. Start the prescan of the uploaded file by entering: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/5.0/beginprescan.do -F "app_id=<your application ID>".

    Where indicated, insert your application ID.

  4. Access the prescan results to know if it succeeded, allowing you to run the full scan. At this point you can add additional files using uploadfile.do, if necessary, but you can only do this if you have not set auto_scan to true as part of the beginprescan.do call. To start the scan, from the command line, enter: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/5.0/getprescanresults.do -F "app_id=<your application ID>".

    Where indicated, insert your application ID. The returned prescanresults.xml document contains the prescan details. For more information about the prescan results, go to API Prescan Status Information. For more information on build status messages, see API Build Status Information.

  5. If your prescan was successful, start the full scan by entering: curl --compressed -u <VeracodeUsername>:<VeracodePassword> https://analysiscenter.veracode.com/api/5.0/beginscan.do -F "app_id=<your application ID>" -F "scan_all_top_level_modules=true".

    Where indicated, insert your application ID.