Deploy Veracode GitHub Workflow App
The Veracode GitHub Workflow App runs Veracode scans directly in GitHub by using a GitHub app and a centralized integration repository. This section guides you through planning and deploying the workflow app in one or more GitHub organizations.
Use this integration to:
- Manage workflows and configuration through a centralized integration repository per GitHub organization.
- Run consistent scans across repositories and events (push, pull request, merge, issue keywords).
- View results where developers work, including pull request checks, GitHub Code Scanning alerts, and the Veracode Platform, depending on the scan type.
Who should use this guide
DevSecOps leads, platform administrators, security architects, and DevOps engineers.
Compare integration approaches
The GitHub Workflow App and traditional Veracode CI or API-based integrations use different deployment models.
- The GitHub Workflow App uses centralized configuration and native GitHub events. This approach can simplify onboarding and ongoing maintenance, especially in environments with many repositories.
- Traditional CI or API-based integrations typically require repository-specific pipeline configuration. This approach can offer more customization but usually requires ongoing maintenance for each repository.
The GitHub Workflow App is well suited for customers who want consistent scanning behavior and reduced operational overhead across many repositories in each GitHub organization.
For more information, see choose a deployment strategy.
Deployment considerations
Review the following considerations because they might affect your architecture and rollout decisions. For more information, see the planning considerations and installation prerequisites.
| Topic | Consideration | Recommendation |
|---|---|---|
| Installation scope | Workflow App must be installed per organization (no enterprise-level installation) | In large environments, automate repeated org-level setup |
| SCA workspace | By default, all repositories use a single SCA workspace, creating visibility and access-control challenges at scale | During planning, validate whether the workspace model meets your access-control requirements. See SCA workspace usage |
| SCA GitHub Issues | SCA scans in this integration don't support creating GitHub Issues | Use GitHub code scanning alerts or Veracode Platform for SCA results |
| GitHub status checks | A failed check can indicate a workflow error or a policy violation, which you can review in the logs | Establish clear remediation workflows and communicate when checks indicate either policy violations or infrastructure issues |
| XML API usage | Policy scans and certain scan configurations rely on XML APIs, not REST | No action required, but be aware if you monitor API usage for cost or performance |
Get support
If you need help planning or rolling out a deployment, contact Veracode Technical Support.