Skip to content

Trigger Dynamic Application Security Testing (DAST) scans#

Thanks to the new app scanning capabilities available on the Security and risk management dashboard, it's now possible to automate application scanning via Codacy's API. This means that, with little effort, you'll be able to trigger app scanning on demand every time you deploy a new version of your app.

Important

App scanning is a business feature. If you are a Codacy Pro customer, contact our customer success team to access a short trial.

Check your permissions. Only git provider admins and organization managers will be able to create new targets and trigger scans (in app and via the API).

Creating targets#

Before the automation process itself, you need to create a target. Targets are individual configurations that define what Codacy will scan, including the target URL, its type (API or web application), and other type-dependent fields like OpenAPI specification and optional authentication details for API targets.

Targets only need to be created once. Note that targets are immutable — if you need to change the URL, definition, or authentication, you'll need to delete the target and create a new one.

Important

Do not run API scans on production enviroments as our API scanners may cause potential downtime.

Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface.

Depending on how your target environment is configured, this may:

  • Trigger rate limiting or throttling
  • Appear as a high volume of traffic, similar to a load test
  • Lead to incomplete scan results if key endpoints are blocked or limited

We recommend running scans in a test or staging environment, or coordinating with your infrastructure team to ensure that your environment can safely handle the load.

To create a target, use the following API request:

curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "api-token: {API_KEY}" \
  -d '{
        "url": {TARGET_URL},
        "targetType": {TARGET_TYPE},
        "apiDefinitionUrl": {API_DEFINITION_URL},
        "apiAuthHeaders": {
          "{HEADER_NAME}": "{HEADER_VALUE}"
        }
      }'

Replace the placeholders with your own values:

Field Required Description
API_KEY true Account API token used to authenticate on the Codacy API
GIT_PROVIDER true Git provider hosting of the organization, using one of the values in the table below.
Options: gh (GitHub Cloud), ghe(GitHub Enterprise), gl (Gitlab Cloud), gle (Gitlab Enterprise), bb (Bitbucket Cloud), bbe (Bitbucket Server)
ORGANIZATION true Name of the organization on the Git provider. You must have admin permissions over the organization on the Git provider.
For example, codacy
TARGET_URL true URL of the Web app or API that will be scanned.
Must start with http:// or https://
For example, https://api.codacy.com/v1
TARGET_TYPE false Type of target to be scanned
Options: webapp (default), openapi or graphql
API_DEFINITION_URL false * The URL to a publicly accessible OpenAPI specification.
* Required for OpenAPI targets
HEADER_NAME false Name of the authentication header.
For example, Authentication
HEADER_VALUE false Value of the authentication header.
For example, a token or API key

Once you create the target you'll get the target id as a response. You will use it to trigger DAST scans in the next section.

Important

Currently we only support one authentication header. If you need more, please let us know via support or your account representative.

Trigger DAST analysis scans#

Once your targets are created you can trigger an analysis by calling the 'Analyze DAST target' endpoint.

curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets/{DAST_TARGET_ID}/analyze \
  -H "Accept: application/json" \
  -H "api-token: {API_KEY}"

Replace the placeholders with your own values:

  • API_KEY: Account API token used to authenticate on the Codacy API.
  • GIT_PROVIDER: Git provider hosting of the organization (check the table on the example above). For example, gh for GitHub Cloud.
  • ORGANIZATION: Name of the organization on the Git provider. For example, codacy. You must have admin permissions over the organization on the Git provider.
  • DAST_TARGET_ID: Identifier of a DAST target to analyze (obtained in the previous section. For example, 457. You must have admin permissions over the organization on the Git provider.

Scans occur asynchronously. To monitor an ongoing scan you can use the target management page in Codacy. Once completed, you can access all scan results by navigating to the Security dashboard, selecting the Findings tab and filtering by Scan types > DAST/App scanning.

Share your feedback 📢

Did this page help you?

Thanks for the feedback! Is there anything else you'd like to tell us about this page?

We're sorry to hear that. Please let us know what we can improve:

Alternatively, you can create a more detailed issue on our GitHub repository.

Thanks for helping improve the Codacy documentation.

Edit this page on GitHub if you notice something wrong or missing.

If you have a question or need help please contact support@codacy.com.

Last modified July 1, 2025