Set up ISM

If you are setting up Veracode Internal Scanning Management (ISM) for the first time, complete the following workflow to:

• Install a gateway, which is the access point to the Veracode Platform cloud.
• Install an endpoint, which uses the gateway to connect your internal web applications or REST APIs to the Veracode Platform cloud for Dynamic Analysis scanning. The endpoint runs on the host machine as a service.

If you have already created a gateway, you can add endpoints to it or install additional endpoints.

Important

We automatically delete a gateway and its associated endpoints if it has no scan activity for four months. When Veracode deletes a gateway, the Veracode Platform displays the name of the deleted gateway on the Internal Scanning Management page. To prevent Veracode from deleting a gateway, schedule a recurring analysis that uses the gateway for internal scanning. To scan internal web applications or REST APIs after Veracode deletes your gateway, you must create a new gateway and endpoint.

Before you begin:

• Ensure you meet the prerequisites, and you have administrator permissions on the machine on which you want to install an endpoint.
• Ensure that the machine on which you install an endpoint meets the system requirements and can reach the URLs or API server you want to scan. Open the URLs in a web browser and, if the machine cannot connect to the URLs, ask your IT administrator to enable the connection.
• We recommend creating only one gateway. A single gateway can handle connections from multiple endpoints.

To complete this task:

1. Sign in to the Veracode Platform.

2. From the gear icon at the top, select Internal Scanning Management.

3. Select Configure Internal Scanning.

4. Enter the name and description of the gateway. Then, select Next. Only ASCII characters are supported. UTF-8 is not supported.

5. Enter the name and description of the endpoint you want to connect to this gateway.

6. Select the platform (operating system) of the machine on which to install the endpoint. To perform a manual endpoint installation on a platform other than Windows or Linux, select Other and continue to Manually install an ISM endpoint.

7. Select Next.

8. To download the ZIP file containing the installer, select Download.

9. To copy your endpoint key, which you'll use later, to your clipboard, select Copy in the text box in step 2.3 .

10. Move the downloaded ZIP file to a machine behind your firewall with access to your internal applications or REST APIs.

11. Extract the installer file from the ZIP file.

    • For Windows machines, the filename is veracode_ism_install.bat.
    • For Linux machines, the filename is veracode_ism_install.sh

12. Run the installer file to open the wizard.

    If you are using a Linux machine without a GUI wrapper, run:

    sudo -s ./veracode_ism_install.sh

13. Read the terms of use for the endpoint, select the checkbox, and select Next.

14. Verify the installation folder and Java home are correct or select your preferred folders and select Next. If the installer cannot automatically detect the Java home, you must specify it.

15. If you use a proxy, select Manual configuration and provide the following information.

16. Enter your proxy hostname and port number.

17. If you want to use the proxy only for communication between the endpoint and gateway:

    • Select For gateway connection.
    • If you want the proxy to resolve the gateway hostname, which means you need to allow only the gateway hostname, clear the Let endpoint resolve hostname for gateway checkbox. If you do not clear it, you must include the hostname and IP address of the gateway in your allowlist.

18. If you want to use the proxy for communication between the endpoint and gateway, and between the endpoint and the URLs you scan:

    • Select For gateway and URL connections.
    • If you want the proxy to resolve the gateway or URL hostnames, which means you need to allow only the hostname for the gateway and the URLs you scan, clear the Let endpoint resolve hostname for gateway or Let endpoint resolve hostname for URLs checkboxes. If you do not clear them, you must include the hostname and IP address of the gateway and URLs in your allowlist.

19. If the proxy requires authentication, select Authentication Required. Then, enter your proxy credentials.

20. Select Next.

21. Paste the endpoint key you copied in step 9 and select Next. If you did not copy the endpoint key, go to the gateway page in the Veracode Platform, select the Actions menu for this endpoint, and select Copy Endpoint Key.

22. When the key validates, select Install.

23. Select Close.

24. If you configured a proxy, configure the proxy exclusion list.

    The new gateway and endpoint appear on the Internal Scanning Management page. The gateway might have a status of Initializing for a few minutes after you create it. The endpoint has a status of Pending until you successfully deploy it. When you successfully deploy the endpoint, it has a status of Ready. If the endpoint fails to connect to the gateway, your organization might need to add the gateway IP address or domain name to your allowlist. The IP address and domain are visible from the Internal Scanning Management page and the gateway page.

25. Configure a new or existing analysis to use the gateway and endpoint for internal scanning.

    • DAST
      • Web applications
      • API specifications
    • Dynamic Analysis
      • Web application
      • API specification