Skip to main content

Integrate with Veracode

Veracode integrations allow you to maximize the benefits of static and dynamic cloud-based security testing in your Software Development Life Cycle (SDLC) and Governance, Risk, and Compliance (GRC) workflows.

Veracode application programming interfaces (APIs) and plugins automate the major software development tasks, including coding, building, testing, and deploying, involved in scanning applications and analyzing the results.

Veracode integrations enable you to automate all necessary security verification tasks, including:

  • Creating application profiles.
  • Uploading applications.
  • Submitting applications for scanning directly from integrated development environments (IDEs) and continuous integration/delivery (CI/CD) environments.

With specific line-of-code vulnerability identification and remediation instructions, you can directly integrate into IDEs and defect tracking systems to streamline defect triage and fixing.

note

Veracode APIs and integrations require access to specific Region Domains, depending on the region for your Veracode account. Contact your IT team to ensure the correct domains for your region are on the allowlist for your organization. Also, ensure that there is one-way communication on port 443 to the domain for the REST APIs. Refer to the complete list of domains and IP addresses to add to your allowlist.

Integration types

A Veracode integration can be one or more of the following types:

Veracode integrations

IntegrationDescription
REST APIsVeracode REST APIs enable you to programmatically interact with the Veracode Platform to seamlessly incorporate application flaw, summary, and policy information into your compliance and risk management programs.
XML APIsVeracode XML APIs enable you to programmatically interact with the Veracode Platform to seamlessly incorporate application flaw, summary, and policy information into your compliance and risk management programs.
API wrappersThe Veracode API wrappers are Veracode-developed CLI programs that can communicate with the Veracode XML APIs. You can use the API wrappers to accelerate the integration of the Veracode XML APIs in your software development lifecycle.
IDE integrationsBefore checking in your code, you can start a scan, review security findings and triage the results, all from within your IDE. Veracode integrates with Eclipse, IntelliJ, Visual Studio, VS Code, and others. To identify flaws in lines of code and get remediation guidance in seconds, directly in your IDE, use Veracode Greenlight. Greenlight is not available in the European Region.
CI/CD integrationsBy integrating Veracode into your build and release pipelines, using tools such as Jenkins or Azure DevOps, you can test in the pipeline or in parallel. You can also stop the pipeline if Veracode finds security issues that violate your policy.
Ticketing integrationsThe Veracode defect-tracking integrations with Jira, Azure DevOps, and Bugzilla create defect tickets from Veracode findings. The integrations also update or close defects automatically after you retest your code.
WAF integrationsWork with Veracode to integrate custom rules for web application firewall (WAF) tools such as Imperva and ModSecurity. You apply these rules to your WAF tools to block potential attacks based on the results of your Dynamic Analysis scans.
GRC integrationVeracode has partnered with several vulnerability-management providers to help you understand which of your applications might be in violation of your corporate security policies and how quickly your organization is addressing issues. Veracode also provides a native integration for RSA Archer.
Notification tools integrationsIntegrate DAST Essentials with your notification or chat tools, such as Slack and Microsoft Teams, to get notified about your recent Dynamic Analysis scans.
Docker imagesVeracode provides Docker images for the Java API wrapper, Pipeline Scan, and for HMAC signing.

Automating scans with integrations

When you use the Veracode integrations, such as the Veracode APIs or CI/CD plugins, to automate Static Analysis or Software Composition Analysis scans of your applications, you must follow certain guidelines to ensure that your automations run successfully.

Any first-party modules you upload for Static Analysis or third-party components you select for Veracode SCA upload scanning must not have fatal or blocking errors. These errors prevent the analysis from starting and cause your automation to fail. Before you run your automation, run a prescan verification to identify and resolve any errors in your modules and files.

For CI/CD systems, each scan in the same automation must upload the same top-level modules. If the top-level modules change between scans, all scans in the automation pause automatically. Before you can restart the automation, you must review the changed or added modules to ensure that all uploads include the same top-level modules.