Merge branch 'master' of https://github.com/codacy/docs

Author: stefanvacareanu7

.github/styles/Microsoft/Terms.yml

@@ -5,7 +5,6 @@ ignorecase: true
 action:
   name: replace
 swap:
-  '(?:agent|virtual assistant|intelligent personal assistant)': personal digital assistant
   '(?:drive C:|drive C>|C: drive)': drive C
   '(?:internet bot|web robot)s?': bot(s)
   '(?:microsoft cloud|the cloud)': cloud

.github/styles/Microsoft/Wordiness.yml

@@ -79,7 +79,6 @@ swap:
   in lieu of: instead of
   in many cases: often
   in most cases: usually
-  in order to: to
   in some cases: sometimes
   in spite of the fact that: although
   in spite of: despite

.github/styles/config/vocabularies/Codacy/accept.txt

@@ -1,4 +1,6 @@
 aligncheck
+autofix
+autoremediate
 allowlist
 Atlassian
 autovacuum
@@ -41,6 +43,7 @@ Gradle
 Grafana
 Gravatar
 Hadolint
+Hardcoded
 hostname
 hotfix
 Jira
@@ -91,4 +94,6 @@ unassigns
 unfollow
 vacuumdb
 Visualforce
+VSCode
 Xcode
+webserver

.github/workflows/vale.yml

@@ -18,6 +18,7 @@ jobs:
         with:
           filter_mode: added
           debug: true
+          fail_on_error: false
         env:
           # Required
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -17,3 +17,8 @@ site/
 
 # Auxiliary tool outputs
 tools/*.csv
+
+.codacy
+
+#Ignore vscode AI rules
+.github/copilot-instructions.md

docs/account/images/emails-notifications.png

@@ -29,12 +29,20 @@ You can create new account API tokens programmatically [using the Codacy API](ex
 
 1.  Click the button **Create API token** under **Account API tokens**.
 
-    !!! tip
-        You can create multiple account API tokens. This can be useful to have a more flexible control by revoking only a specific token.
+1. Select an expiration date from the modal options. You can select between a range of 7 days to 90 days, create a custom expiration date, or create a token with no expiration.
+
+![Creating an account API token](images/codacy-api-tokens-account.png)
+
+![Creating an account API token modal](images/codacy-api-tokens-account-modal.png)
+
+!!! tip
+    You can create multiple account API tokens. This can be useful to have a more flexible control by revoking only a specific token.
+
+When you have tokens created, you can view them inside the tokens table. By hovering a token, you are able to copy its value.
 
-    ![Creating an account API token](images/codacy-api-tokens-account.png)
+![Creating an account API token modal](images/codacy-api-tokens-account-table.png)
 
-To revoke an account API token, click the "X" next to the token. After this, all applications or services using that token to access the Codacy API will fail to authenticate and will receive the reply `{"error":"not found"}`.
+To delete an account API token, click the trash icon in the Actions column of the table. After this, all applications or services using that token to access the Codacy API will fail to authenticate and will receive the reply `{"error":"not found"}`.
 
 ## Generating and revoking repository API tokens {: id="repository-api-tokens"}
 

docs/codacy-api/api-tokens.md

@@ -0,0 +1,86 @@
+---
+description: Instructions on how to trigger DAST/App using the API.
+---
+
+# Trigger Dynamic Application Security Testing (DAST) scans
+
+Thanks to the new app scanning capabilities available on the Security and risk management dashboard, it's now possible to automate application scanning via Codacy's API. This means that, with little effort, you'll be able to trigger app scanning on demand every time you deploy a new version of your app.
+
+!!! important
+    **App scanning is a business feature.** If you are a Codacy Pro customer, contact our customer success team to access a short trial.
+
+    **Check your [permissions](../../organizations/roles-and-permissions-for-organizations.md).** Only git provider admins and organization managers will be able to create new targets and trigger scans (in app and via the API).
+
+
+## Creating targets
+
+Before the automation process itself, you need to create a target. Targets are individual configurations that define what Codacy will scan, including the target URL, its type (API or web application), and other type-dependent fields like OpenAPI specification and optional authentication details for API targets.
+
+Targets only need to be created once. Note that **targets are immutable** — if you need to change the URL, definition, or authentication, you'll need to delete the target and create a new one.
+
+!!! important
+    **Do not run API scans on production enviroments as our API scanners may cause potential downtime.**
+
+    Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface.
+
+    Depending on how your target environment is configured, this may:
+
+    - Trigger rate limiting or throttling
+    - Appear as a high volume of traffic, similar to a load test
+    - Lead to incomplete scan results if key endpoints are blocked or limited
+
+    We recommend running scans in a **test or staging environment**, or coordinating with your infrastructure team to ensure that your environment can safely handle the load.
+
+To create a target, use the following API request:
+
+```bash
+curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/json" \
+  -H "api-token: {API_KEY}" \
+  -d '{
+        "url": {TARGET_URL},
+        "targetType": {TARGET_TYPE},
+        "apiDefinitionUrl": {API_DEFINITION_URL},
+        "apiAuthHeaders": {
+          "{HEADER_NAME}": "{HEADER_VALUE}"
+        }
+      }'
+```
+
+Replace the placeholders with your own values:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| **API_KEY** | true | [Account API token](../api-tokens.md#account-api-tokens) used to authenticate on the Codacy API |
+| **GIT_PROVIDER** | true | Git provider hosting of the organization, using one of the values in the table below. <br/>**Options:** `gh` (GitHub Cloud), `ghe`(GitHub Enterprise), `gl` (Gitlab Cloud), `gle` (Gitlab Enterprise), `bb` (Bitbucket Cloud), `bbe` (Bitbucket Server) | 
+| **ORGANIZATION** | true | Name of the organization on the Git provider. You must have admin permissions over the organization on the Git provider.<br/>For example, `codacy` |
+| **TARGET_URL** | true | URL of the Web app or API that will be scanned. <br/>Must start with `http://` or `https://`<br/>For example, `https://api.codacy.com/v1`|
+| **TARGET_TYPE** | false | Type of target to be scanned <br/> **Options:** `webapp` (default), `openapi` or `graphql`|
+| **API_DEFINITION_URL** | false * | The URL to a publicly accessible OpenAPI specification.<br/>*** Required for OpenAPI targets**|
+| **HEADER_NAME** | false | Name of the authentication header. <br/>For example, `Authentication`|
+| **HEADER_VALUE** | false | Value of the authentication header. <br/>For example, a token or API key|
+
+Once you create the target you'll get the target `id` as a response. You will use it to trigger DAST scans in the next section.
+
+!!! important
+    Currently we only support one authentication header. If you need more, please let us know via support or your account representative.
+
+## Trigger DAST analysis scans
+
+Once your targets are created you can trigger an analysis by calling the '[Analyze DAST target](https://api.codacy.com/api/api-docs#analyzedasttarget)' endpoint.
+
+```bash
+curl -X POST https://app.codacy.com/api/v3/organizations/{GIT_PROVIDER}/{ORGANIZATION}/dast/targets/{DAST_TARGET_ID}/analyze \
+  -H "Accept: application/json" \
+  -H "api-token: {API_KEY}"
+```
+
+Replace the placeholders with your own values:
+
+-   **API_KEY:** [Account API token](../api-tokens.md#account-api-tokens) used to authenticate on the Codacy API.
+-   **GIT_PROVIDER:** Git provider hosting of the organization (check the table on the example above). For example, `gh` for GitHub Cloud.
+-   **ORGANIZATION:** Name of the organization on the Git provider. For example, `codacy`. You must have admin permissions over the organization on the Git provider.
+-   **DAST_TARGET_ID:** Identifier of a DAST target to analyze (obtained in the [previous section](./triggering-dast-scans.md#creating-targets). For example, `457`. You must have admin permissions over the organization on the Git provider.
+
+Scans occur asynchronously. To monitor an ongoing scan you can use the [target management page in Codacy](../../organizations/managing-security-and-risk.md#app-scanning). Once completed, you can access all scan results by navigating to the **Security dashboard**, selecting the **Findings tab** and filtering by **Scan types > DAST/App scanning**.

docs/codacy-api/examples/triggering-dast-scans.md

@@ -14,8 +14,8 @@ To ensure the security of your web applications, Codacy allows you to upload DAS
 
 1.  Upload the report to Codacy using the API endpoint [<span class="skip-vale">uploadDASTReport</span>](https://app.codacy.com/api/api-docs#uploaddastreport):
 
-    !!! note
-        The DAST report must be under 20MB in size.
+    !!! important
+        The DAST report must be under 20MB in size. Please also guarantee that @generated timestamps are in an English locale, and use the default ZAP format (EEE, d MMM yyyy HH:mm:ss), as otherwise the report won't be processed. 
 
     ```bash
     curl -X POST https://app.codacy.com/api/v3/organizations/<GIT_PROVIDER>/<ORGANIZATION>/security/tools/dast/<TOOL_NAME>/reports \