Skip to main content

Deploy Veracode GitHub Workflow App

The Veracode GitHub Workflow App runs Veracode scans directly in GitHub by using a GitHub app and a centralized integration repository. This section guides you through planning and deploying the workflow app in one or more GitHub organizations.

Use this integration to:

  • Manage workflows and configuration through a centralized integration repository per GitHub organization.
  • Run consistent scans across repositories and events (push, pull request, merge, issue keywords).
  • View results where developers work, including pull request checks, GitHub Code Scanning alerts, and the Veracode Platform, depending on the scan type.

Who should use this guide

DevSecOps leads, platform administrators, security architects, and DevOps engineers.

Compare integration approaches

The GitHub Workflow App and traditional Veracode CI or API-based integrations use different deployment models.

  • The GitHub Workflow App uses centralized configuration and native GitHub events. This approach can simplify onboarding and ongoing maintenance, especially in environments with many repositories.
  • Traditional CI or API-based integrations typically require repository-specific pipeline configuration. This approach can offer more customization but usually requires ongoing maintenance for each repository.

The GitHub Workflow App is well suited for customers who want consistent scanning behavior and reduced operational overhead across many repositories in each GitHub organization.

For more information, see choose a deployment strategy.

Deployment considerations

Review the following considerations because they might affect your architecture and rollout decisions. For more information, see the planning considerations and installation prerequisites.

TopicConsiderationRecommendation
Installation scopeWorkflow App must be installed per organization (no enterprise-level installation)In large environments, automate repeated org-level setup
SCA workspaceBy default, all repositories use a single SCA workspace, creating visibility and access-control challenges at scaleDuring planning, validate whether the workspace model meets your access-control requirements. See SCA workspace usage
SCA GitHub IssuesSCA scans in this integration don't support creating GitHub IssuesUse GitHub code scanning alerts or Veracode Platform for SCA results
GitHub status checksA failed check can indicate a workflow error or a policy violation, which you can review in the logsEstablish clear remediation workflows and communicate when checks indicate either policy violations or infrastructure issues
XML API usagePolicy scans and certain scan configurations rely on XML APIs, not RESTNo action required, but be aware if you monitor API usage for cost or performance

Get support

If you need help planning or rolling out a deployment, contact Veracode Technical Support.