Trigger Dynamic Application Security Testing (DAST) scans#
Thanks to the new app scanning capabilities available on the Security and risk management dashboard, it's now possible to automate application scanning via Codacy's API. This means that, with little effort, you'll be able to trigger app scanning on demand every time you deploy a new version of your app.
Important
App scanning is a business feature. If you are a Codacy Pro customer, contact our customer success team to access a short trial.
Check your permissions. Only git provider admins and organization managers will be able to create new targets and trigger scans (in app and via the API).
Creating targets#
Before the automation process itself, you need to create a target. Targets are individual configurations that define what Codacy will scan, including the target URL, its type (API or web application), and other type-dependent fields like OpenAPI specification and optional authentication details for API targets.
Targets only need to be created once. Note that targets are immutable — if you need to change the URL, definition, or authentication, you'll need to delete the target and create a new one.
Important
Do not run API scans on production enviroments as our API scanners may cause potential downtime.
Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface.
Depending on how your target environment is configured, this may:
- Trigger rate limiting or throttling
- Appear as a high volume of traffic, similar to a load test
- Lead to incomplete scan results if key endpoints are blocked or limited
We recommend running scans in a test or staging environment, or coordinating with your infrastructure team to ensure that your environment can safely handle the load.
To create a target, use the following API request:
curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "api-token: {API_KEY}" \
-d '{
"url": {TARGET_URL},
"targetType": {TARGET_TYPE},
"apiDefinitionUrl": {API_DEFINITION_URL},
"apiAuthHeaders": {
"{HEADER_NAME}": "{HEADER_VALUE}"
}
}'
Replace the placeholders with your own values:
| Field | Required | Description |
|---|---|---|
| API_KEY | true | Account API token used to authenticate on the Codacy API |
| GIT_PROVIDER | true | Git provider hosting of the organization, using one of the values in the table below. Options: gh (GitHub Cloud), ghe(GitHub Enterprise), gl (Gitlab Cloud), gle (Gitlab Enterprise), bb (Bitbucket Cloud), bbe (Bitbucket Server) |
| ORGANIZATION | true | Name of the organization on the Git provider. You must have admin permissions over the organization on the Git provider. For example, codacy |
| TARGET_URL | true | URL of the Web app or API that will be scanned. Must start with http:// or https://For example, https://api.codacy.com/v1 |
| TARGET_TYPE | false | Type of target to be scanned Options: webapp (default), openapi or graphql |
| API_DEFINITION_URL | false * | The URL to a publicly accessible OpenAPI specification. * Required for OpenAPI targets |
| HEADER_NAME | false | Name of the authentication header. For example, Authentication |
| HEADER_VALUE | false | Value of the authentication header. For example, a token or API key |
Once you create the target you'll get the target id as a response. You will use it to trigger DAST scans in the next section.
Important
Currently we only support one authentication header. If you need more, please let us know via support or your account representative.
Trigger DAST analysis scans#
Once your targets are created you can trigger an analysis by calling the 'Analyze DAST target' endpoint.
curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets/{DAST_TARGET_ID}/analyze \
-H "Accept: application/json" \
-H "api-token: {API_KEY}"
Replace the placeholders with your own values:
- API_KEY: Account API token used to authenticate on the Codacy API.
- GIT_PROVIDER: Git provider hosting of the organization (check the table on the example above). For example,
ghfor GitHub Cloud. - ORGANIZATION: Name of the organization on the Git provider. For example,
codacy. You must have admin permissions over the organization on the Git provider. - DAST_TARGET_ID: Identifier of a DAST target to analyze (obtained in the previous section. For example,
457. You must have admin permissions over the organization on the Git provider.
Scans occur asynchronously. To monitor an ongoing scan you can use the target management page in Codacy. Once completed, you can access all scan results by navigating to the Security dashboard, selecting the Findings tab and filtering by Scan types > DAST/App scanning.
Share your feedback 📢
Did this page help you?
Thanks for the feedback! Is there anything else you'd like to tell us about this page?
255 characters left
We're sorry to hear that. Please let us know what we can improve:
255 characters left
Alternatively, you can create a more detailed issue on our GitHub repository.
Thanks for helping improve the Codacy documentation.
Edit this page on GitHub if you notice something wrong or missing.
If you have a question or need help please contact support@codacy.com.