Veracode

CatalogScorecards

Summary

Veracode is an automated application security and remediation platform. It can be used to drive insights into dynamic, static & software composition analysis. DAST, SAST, and SCA are supported.

Setup

In order to connect Cortex to your Veracode instance, you’ll need to create a Secret Key, and add it along with its ID under Settings → Veracode. Additionally, you'll need to provide the region that your instance uses.

If you do not see the Settings page you're looking for in the sidebar, you likely don't have the proper permissions and need to contact your admin.

If you're using a self-hosted instance of Veracode, you'll need to verify that your Cortex instance is able to reach the Veracode instance.
We route our requests through a static IP address. Reach out to support at help@cortex.io to receive details about our static IP. If you're unable to directly whitelist our static IP, you can route requests through a secondary proxy in your network that has this IP whitelisted, and have that proxy route traffic to your Veracode instance.

Advanced Configuration

If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a Custom Integration Webhook.

Registration

Discovery

Specify the applications and/or sandboxes that Cortex should pull from by adding their names to the Cortex Service Descriptor.

Catalog Descriptor

If you need to override the automatic discovery, you can define the following block in your Cortex Catalog Descriptor.

x-cortex-static-analysis:
  veracode:
    applicationNames:
      - My Application
      - Second Application
    sandboxes:
      - applicationName: My Application
        sandboxName: My Sandbox
      - applicationName: Second Application
        sandboxName: Second Sandbox

Please paste the application and sandbox name exactly as they appear in Veracode.