Skip to main content

API server URLs and API Scanning

API Scanning requires the absolute, or base, URL of the server that is hosting the API you want to scan. It checks for this URL when you upload an API specification or Postman Collection to the Veracode Platform. If API Scanning cannot determine this URL from the uploaded specification or Postman Collection, you see an error with a field to enter the fully-qualified URL. Enter the base URL for your API.

For OpenAPI specifications, you can add a custom base URL. By default, when you configure a scan, Veracode automatically selects the base URL from the list of available servers. This base URL replaces any relative URLs in your specification. For Postman Collections, a base URL is required because the URL defines an allowed host that the scanners can attack to find vulnerabilities in requests. HAR files do not support base URLs.

If you do not know the base URL for your API, contact the development team that provided the specification file.

After you add a base URL, the scanners treat the value as a url entry in the OpenAPI servers list, as explained in the OpenAPI 3 Documentation. Ensure your value includes any base path. For example, if an API has entry points under /v1/pets, the absolute URL must also have that path: https://api.example/com/v1/pets.