# Veracode

{% hint style="info" %}
Cortex connects to many third-party vendors whose system interfaces frequently change. As a result, integration behavior or configuration steps may shift without notice. If you encounter unexpected issues, check with your system administrator or refer to the vendor's documentation for the most current information. Additionally, integration sync times vary and are subject to scheduling overrides and timing variance.
{% endhint %}

[Veracode](https://www.veracode.com/) is an automated security platform that identifies and remediates vulnerabilities in software applications. DAST, SAST, and SCA are supported.

Integrating Veracode with Cortex allows you to:

* [View Veracode findings on entity pages](#view-veracode-data-on-ntity-pages) in Cortex
* Create [Scorecards](#scorecards-and-cql) that track progress and drive alignment on Veracode vulnerability metrics

## How to configure Veracode with Cortex

### Prerequisite

Before getting started:

* Create an [API ID in Veracode](https://docs.veracode.com/r/c_api_credentials3).
  * If using XML, configure the ID with the following permissions:
    * `get Detailed report`
    * `get Build list`
    * `get sandbox list`
    * `get application list`
  * If using REST, configure the ID with the following permissions:
    * `get application`
    * `get findings`
* Create a [secret key in Veracode](https://docs.veracode.com/r/c_api_credentials3) with the following roles:
  * Creator or Security Lead
  * Reviewer or Security Lead
  * Results API

If you're using a self-hosted instance of Veracode, you'll need to verify that your Cortex instance is able to reach the Veracode instance.\
\
We route our requests through a static IP address. Reach out to support at <help@cortex.io> to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Veracode instance.

### Configure the integration in Cortex

1. In Cortex, navigate to the [Veracode settings page](https://app.getcortexapp.com/admin/integrations/veracode):
   1. Click **Integrations** from the main nav. Search for and select **Veracode**.
2. Click **Add configuration**.
3. Configure the Veracode integration form:
   * **Key ID**: Enter your Veracode API ID.
   * **Secret key**: Enter the secret key associated with your API ID.
   * **Region**: Enter your Veracode instance [region](https://docs.veracode.com/r/Region_Domains_for_Veracode_APIs).
4. Click **Save**.

To modify the integration configuration, see [Modifying an existing integration configuration](/ingesting-data-into-cortex/integrations.md#modifying-an-existing-integration-configuration).

### Advanced configuration

If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a [custom integration webhook](/ingesting-data-into-cortex/entities-overview/entities/custom-data.md).

## How to connect Cortex entities to Veracode

### Editing the entity descriptor

You can set up the Veracode integration for an entity by specifying its Veracode application names or sandboxes in the `x-cortex-static-analysis` section of the entity descriptor. For example:

```yaml
x-cortex-static-analysis:
  veracode:
    applicationNames:
      - My Application
      - Second Application
    sandboxes:
      - applicationName: My Application
        sandboxName: My Sandbox
      - applicationName: Second Application
        sandboxName: Second Sandbox
```

The application and sandbox names must appear exactly as they are in Veracode.

## Using the Veracode integration

### View Veracode data on entity pages

On an [entity details page](/ingesting-data-into-cortex/entities-overview/entities/details.md) overview, Veracode findings will appear the **Code and Security** block.

When viewing an entity, click **Code & security > Veracode** to see the DAST findings count, SAST findings count, SCA findings count, and a list of findings that can be filtered by severity and source. The data syncs automatically every hour, or you can click **Sync findings** in the upper right side of the entity's Veracode page to trigger a sync.

### Scorecards and CQL

With the Veracode integration, you can create Scorecard rules and write CQL queries based on Veracode findings.

See more examples in the [CQL Explorer](https://app.getcortexapp.com/admin/cql-explorer) in Cortex.

<details>

<summary>Check if Veracode application is set</summary>

Check if entity has Veracode application or sandbox specified in its entity descriptor.

**Definition:** `veracode (==/!= null): Boolean`

**Example**

In a Scorecard, you can write a rule to verify that an entity has a Veracode application or sandbox specified:

```
veracode != null
```

</details>

<details>

<summary>Findings</summary>

List of findings, filterable on risk, source, and status.

**Definition:** `veracode.findings(): List`

**Example**

In a Scorecard, you can write a rule to verify that an entity has fewer than 10 Veracode findings from two of the sources:

```
veracode.findings(source = ["STATIC", "SCA"]).length < 10
```

You can write a rule to verify that an entity has fewer than 3 findings with a risk level of 0 or 2:

```
veracode.findings(risk = ["0", "2"]).length <= 3
```

You can write a rule to verify that an entity has fewer than 5 findings with a status of "OPEN":

```
veracode.findings().filter((f) => f.findingStatus.status == "OPEN").length < 5
```

</details>

### View integration logs <a href="#still-need-help" id="still-need-help"></a>

## Background sync

Cortex conducts an entity sync for Veracode every hour.

## Still need help?[​](https://docs.cortex.io/docs/reference/integrations/aws#still-need-help) <a href="#still-need-help" id="still-need-help"></a>

The following options are available to get assistance from the Cortex Customer Engineering team:

* **Email**: <help@cortex.io>, or open a support ticket in the in app Resource Center
* **Slack**: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a `:ticket:` reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cortex.io/ingesting-data-into-cortex/integrations/veracode.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.