Understanding API Access

Veracode Integrations Security and Troubleshooting

To be able to access the Veracode APIs, you must either have a human or non-human API customer account and the associated user roles for specific API tasks.

API user roles and permissions are determined in the user account administration page, and different APIs require different permissions. To use the Admin or Archer Report XML APIs you must have the API Account checkbox selected (non-human account) and the respective API user roles selected in the Login Settings section of the user account administration page.

Be sure that your IP address is in the list or range of addresses in the Allowed IP Addresses field of your user account login settings. If the IP range is set incorrectly, edit the Allowed IP Addresses field to include the IP address of the location of your login.

You can restrict API non-human users to teams, limiting their access to only data for applications that are associated with that team. Select Restrict to Selected Teams, and then choose the appropriate team. You can also restrict users to scan types, limiting them to performing static, dynamic, or Manual Penetration Testing scans.

If you intend to use the Admin API to create a new human user account, you have to pass the role parameters as well as the scan type permissions. The human user role parameters (case-sensitive) are Administrator, Creator, Executive, Mitigation Approver, Policy Administrator, Reviewer, Security Lead, Submitter, Security Insights, eLearning. The scan permission types are: Static Scan, Dynamic Scan, Manual Scan, Discovery Scan, DynamicMP Scan or All Scan Types.

It is important to note that when an application has its visibility set to Teams & Security Leads, then a human account with the Reviewer, Creator, or Submitter user role must be a member of the specified team to be able to access that application using the APIs.