Veracode
Summary
Veracode is an automated application security and remediation platform. It can be used to drive insights into dynamic, static & software composition analysis. DAST, SAST, and SCA are supported.
Setup
In order to connect Cortex to your Veracode instance, you’ll need to create a secret key with the "Creator or Security Lead" roles, the "Reviewer or Security Lead" role, and the "Results API" role, and add it along with its ID under Settings → Veracode. Additionally, you'll need to provide the region that your instance uses.
If you do not see the settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
If you're using a self-hosted instance of Veracode, you'll need to
verify that your Cortex instance is able to reach the Veracode instance.
We route our requests through a static IP address. Reach out to support at
help@cortex.io to receive details about our static IP.
If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Veracode instance.
Advanced configuration
If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a Custom Integration Webhook.
Registration
Discovery
Specify the applications and/or sandboxes that Cortex should pull from by adding their names to the Cortex Service Descriptor.
Entity descriptor
You can set up the Veracode integration for an entity by specifying its Veracode application names or sandboxes in the x-cortex-static-analysis
section of the entity descriptor.
x-cortex-static-analysis:
veracode:
applicationNames:
- My Application
- Second Application
sandboxes:
- applicationName: My Application
sandboxName: My Sandbox
- applicationName: Second Application
sandboxName: Second Sandbox
Please paste the application and sandbox name exactly as they appear in Veracode.