Skip to main content

Veracode

CatalogScorecards

Summary

Veracode is an automated application security and remediation platform. It can be used to drive insights into dynamic, static & software composition analysis. DAST, SAST, and SCA are supported.

Setup

In order to connect Cortex to your Veracode instance, you’ll need to create a secret key with the "Creator or Security Lead" roles, the "Reviewer or Security Lead" role, and the "Results API" role, and add it along with its ID under Settings → Veracode. Additionally, you'll need to provide the region that your instance uses.

caution

If you do not see the settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.

caution

If you're using a self-hosted instance of Veracode, you'll need to verify that your Cortex instance is able to reach the Veracode instance.

We route our requests through a static IP address. Reach out to support at help@cortex.io to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Veracode instance.

Advanced configuration

If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a Custom Integration Webhook.

Registration

Discovery

Specify the applications and/or sandboxes that Cortex should pull from by adding their names to the Cortex Service Descriptor.

Entity descriptor

You can set up the Veracode integration for an entity by specifying its Veracode application names or sandboxes in the x-cortex-static-analysis section of the entity descriptor.

x-cortex-static-analysis:
veracode:
applicationNames:
- My Application
- Second Application
sandboxes:
- applicationName: My Application
sandboxName: My Sandbox
- applicationName: Second Application
sandboxName: Second Sandbox

Please paste the application and sandbox name exactly as they appear in Veracode.