To request vendors or third-party providers to upload their code to Veracode for scanning, perform the following tasks:
Create a third-party application
You must create an application profile for a new application that has not been scanned before. The application profile describes your application and who can submit a scan request for it. In addition, the application profile provides metadata that is used to compute score of the application and report results across all applications.
- Sign in to the Veracode Platform.
- Select Add Application on the Applications page to begin creating the application.
- Enter the name of the third-party application and, optionally, a description and tags separated by commas. If the tag name includes a comma, surround the tag with quotation marks. If you have used tags before for other applications, these are available for you to select.
- Enter the business criticality of this application to your organization. The business criticality determines the default policy for the application. You can change the business criticality later, if necessary, by editing the application profile.
- Select a policy from the dropdown menu if you do not want to use the default policy.
- Select the business unit that manages this application. If the business unit does not yet exist in the menu, select Add a Business Unit and create it.
- Enter the name and email address of the business owner who is responsible for this application.
- Select who has visibility of the application scanning results. You can give visibility to teams of users and change these selections at any time by editing the profile.
- In the Submission of Scan Data section, select a vendor account that you want to be able to submit scan requests. If you want the vendor to be able to rescan applications without informing you or publishing data to you first, select Enable Vendor Rescanning. After you select this option, vendors can select Rescan without creating a new scan request.
- Select a vendor from the dropdown menu, or request a new vendor.
- Select Save and Continue.
- Optionally, provide this metadata or edit the profile later to add more details:
- Origin: identify where the application originated, such as from a third-party library or internal development.
- Industry: select the industry of your company.
- Application Purpose: identify how you use the application, such as for security or software development.
- Deployment Method: identify how the application usually deploys, such as web-based or third-party vendor.
- Archer Application Name: this field, available only for users with the Security Lead role, enables you to set a custom name for the application in the Archer data feed.
- Custom Metadata: use the custom fields to add any other metadata with which you want to track or analyze this application.
- Select Save & Continue to save the profile information.
Veracode contacts the vendor to begin the provisioning process. Once the vendor has been provisioned or associated with your account, the scan request is sent to the vendor you selected for fulfillment. You can check the status of the scan as it progresses.
Request a new vendor
If the vendor is not already on the Veracode Platform, or has not been associated with your account, you can request them as a new vendor.
Select the Request New Vendor link.
Fill out all required fields for the vendor.note
You must provide a primary point of contact for the vendor.
Request a third-party scan
After creating a third-party application, you can then request a scan of that application. From the Application Overview, select Scans and Analysis and select the scan type you want to perform. If you do not see the scan type you want, it is possible that a scan of that type is already in progress or that scan type is not authorized.
After you request the scan, the status in the application overview is Request In Progress.