LogoLogo
Login to CortexBook a DemoCortex Academycortex.io
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
  • Cortex Query Language (CQL)
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • Overview
  • How to configure Veracode with Cortex
  • Prerequisite
  • Configure the integration in Cortex
  • Advanced configuration
  • How to connect Cortex entities to Veracode
  • Editing the entity descriptor
  • Expected results
  • Scorecards and CQL
  • Background sync
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

Veracode

Last updated 1 month ago

Was this helpful?

Overview

is an automated security platform that identifies and remediates vulnerabilities in software applications. DAST, SAST, and SCA are supported. Integrate Veracode with Cortex to drive insights into vulnerabilities on entities.

How to configure Veracode with Cortex

Prerequisite

Before getting started:

  • Create an .

    • If using XML, configure the ID with the following permissions:

      • get Detailed report

      • get Build list

      • get sandbox list

      • get application list

    • If using REST, configure the ID with the following permissions:

      • get application

      • get findings

  • Create a with the following roles:

    • Creator or Security Lead

    • Reviewer or Security Lead

    • Results API

Configure the integration in Cortex

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations", click Veracode.

  1. Click Add configuration.

  2. Configure the Veracode integration form:

    • Key ID: Enter your Veracode API ID.

    • Secret key: Enter the secret key associated with your API ID.

  3. Click Save.

Advanced configuration

How to connect Cortex entities to Veracode

Editing the entity descriptor

You can set up the Veracode integration for an entity by specifying its Veracode application names or sandboxes in the x-cortex-static-analysis section of the entity descriptor. For example:

x-cortex-static-analysis:
  veracode:
    applicationNames:
      - My Application
      - Second Application
    sandboxes:
      - applicationName: My Application
        sandboxName: My Sandbox
      - applicationName: Second Application
        sandboxName: Second Sandbox

The application and sandbox names must appear exactly as they are in Veracode.

Expected results

Entity pages

When viewing an entity, click Code & security > Veracode to see the DAST findings count, SAST findings count, SCA findings count, and a list of findings that can be filtered by severity and source. The data syncs automatically every hour, or you can click Sync findings in the upper right side of the entity's Veracode page to trigger a sync.

Scorecards and CQL

With the Veracode integration, you can create Scorecard rules and write CQL queries based on Veracode findings.

Check if Veracode application is set

Check if entity has Veracode application or sandbox specified in its entity descriptor.

Definition: veracode (==/!= null): Boolean

Example

In a Scorecard, you can write a rule to verify that an entity has a Veracode application or sandbox specified:

veracode != null
Findings

List of findings, filterable on risk and source

Definition: veracode.findings(): List

Example

In a Scorecard, you can write a rule to verify that an entity has fewer than 10 Veracode findings from two of the sources:

veracode.findings(source = ["STATIC", "SCA"]).length < 10

You can write a rule to verify that an entity has fewer than 3 findings with a risk level of 0 or 2:

veracode.findings(risk = ["0", "2"]).length <= 3

Background sync

Cortex conducts an entity sync for Veracode every hour.

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

If you're using a self-hosted instance of Veracode, you'll need to verify that your Cortex instance is able to reach the Veracode instance. We route our requests through a static IP address. Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your Veracode instance.

In Cortex, navigate to the :

Region: Enter your Veracode instance .

If you’re unable to expose your Veracode instance to be reachable by Cortex, you can set up a .

On an overview, Veracode findings will appear the Code and Security block.

See more examples in the in Cortex.

Still need help?

Email: , or open a support ticket in the in app Resource Center

Veracode
API ID in Veracode
secret key in Veracode
help@cortex.io
Veracode settings page
region
custom integration webhook
entity details page
CQL Explorer
​
help@cortex.io