Veracode
Summary
Veracode is an automated application security and remediation platform. It can be used to drive insights into dynamic, static & software composition analysis. DAST, SAST, and SCA are supported.
Setup
In order to connect Cortex to your Veracode instance, you’ll need to create a Secret Key, and add it along with its ID under Settings → Veracode. Additionally, you'll need to provide the region that your instance uses.
If you do not see the Settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
If you're using a self-hosted instance of Veracode, you'll need to
verify that your Cortex instance is able to reach the Veracode instance.
We route our requests through a static IP address. Reach out to support at
help@cortex.io to receive details about our static IP.
If you're unable to directly whitelist our static IP, you can route requests through a
secondary proxy in your network that has this IP whitelisted, and have that proxy route traffic
to your Veracode instance.
Advanced configuration
If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a Custom Integration Webhook.
Registration
Discovery
Specify the applications and/or sandboxes that Cortex should pull from by adding their names to the Cortex Service Descriptor.
Entity descriptor
If you need to override the automatic discovery, you can define the following block in your Cortex entity descriptor.
x-cortex-static-analysis:
veracode:
applicationNames:
- My Application
- Second Application
sandboxes:
- applicationName: My Application
sandboxName: My Sandbox
- applicationName: Second Application
sandboxName: Second Sandbox
Please paste the application and sandbox name exactly as they appear in Veracode.