Veracode
Last updated
Last updated
is an automated security platform that identifies and remediates vulnerabilities in software applications. DAST, SAST, and SCA are supported. Integrate Veracode with Cortex to drive insights into vulnerabilities on entities.
Before getting started:
Create an .
If using XML, configure the ID with the following permissions:
get Detailed report
get Build list
get sandbox list
get application list
If using REST, configure the ID with the following permissions:
get application
get findings
Create a with the following roles:
Creator or Security Lead
Reviewer or Security Lead
Results API
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations", click Veracode.
Click Add configuration.
Configure the Veracode integration form:
Key ID: Enter your Veracode API ID.
Secret key: Enter the secret key associated with your API ID.
Click Save.
You can set up the Veracode integration for an entity by specifying its Veracode application names or sandboxes in the x-cortex-static-analysis section of the entity descriptor. For example:
The application and sandbox names must appear exactly as they are in Veracode.
When viewing an entity, click Code & security > Veracode to see the DAST findings count, SAST findings count, SCA findings count, and a list of findings that can be filtered by severity and source. The data syncs automatically every hour, or you can click Sync findings in the upper right side of the entity's Veracode page to trigger a sync.
With the Veracode integration, you can create Scorecard rules and write CQL queries based on Veracode findings.
Cortex conducts an entity sync for Veracode every hour.
The following options are available to get assistance from the Cortex Customer Engineering team:
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your Customer Success Manager.
If you're using a self-hosted instance of Veracode, you'll need to verify that your Cortex instance is able to reach the Veracode instance. We route our requests through a static IP address. Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Veracode instance.
In Cortex, navigate to the :
Region: Enter your Veracode instance .
If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a .
On an overview, Veracode findings will appear the Code and Security block.
See more examples in the in Cortex.
Email: , or open a support ticket in the in app Resource Center