Package: Invicti AppSec Enterprise (on-premise, on-demand)
Veracode SAST
Invicti AppSec supports Veracode as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the Veracode integration.
Veracode provides cloud-based application security testing including static analysis, dynamic analysis, and software composition analysis.
Prerequisites
Before starting the integration, ensure you have the following information from your Veracode account:
| Field | Description | Required |
|---|---|---|
| ID | API ID from your Veracode account | Yes |
| Secret Key | API Secret Key from your Veracode account | Yes |
| Region | Your Veracode region (e.g., Commercial, Europe, US Federal) | Yes |
Get API Credentials (on Veracode Side)
- Log in to the Veracode Platform at
https://analysiscenter.veracode.com. - Click on your username (upper right-hand corner).
- Select API Credentials from the dropdown menu.
- Click Generate API Credentials.
- Copy both the API ID and API Key immediately (they won't be shown again).
- Save these credentials securely.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SAST Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).
Step 3: Find and Activate Veracode
Scroll through the list of SAST scanners to find Veracode.
- If Veracode is not activated, you will see an "Activate" button. Click it to enable the integration.
- If Veracode is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.
The scan method badge on the Veracode card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Veracode card to open the configuration panel. Fill in the required fields:
- ID: Enter your Veracode API ID.
- Secret Key: Enter your Veracode API Secret Key.
- Region: Select your Veracode region from the dropdown (e.g., Commercial (api.veracode.com), Europe, or US Federal).
Step 5: Test the Connection
Click the "Test Connection" button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.
- If the connection is successful, the integration is ready to use.
- If the connection fails, verify your API ID and Secret Key values.
- For existing integrations, you can use the "Retest Connection" button at the top of the panel.
Step 6: Advanced Settings (Optional)
Click on "Advanced Settings" to expand additional options:
| Setting | Description | Default |
|---|---|---|
| Allow team leads to scan this instance | Permits team leads to trigger scans using this Veracode instance | Off |
| Allow team leads to create new instances | Permits team leads to create additional Veracode instances | Off |
After modifying advanced settings, click "Save Advanced Settings" to apply changes.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SAST tab under Scanners |
| 3 | Find Veracode and click Activate (if not already active) |
| 4 | Click the gear icon and fill in ID, Secret Key, and Region |
| 5 | Click Test Connection to verify |
| 6 | (Optional) Configure Advanced Settings for team lead permissions |
Create a Scan
After activating and configuring Veracode, you can create scans from your project's scanner settings.
Navigate to Project Scanners
- Go to your Project page.
- Click on the Settings tab.
- Select Scanners from the left sidebar.
Add Veracode Scanner
- In the scanner type dropdown, select SAST.
- In the scanner dropdown, search for and select Veracode.
- Click the Add button to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan (optional) | No |
| Bind to | Select the Veracode application/project to bind to | Yes |
| Sandbox | Select a Veracode sandbox for the scan (appears after selecting a project) | No |
| Branch | Specify the branch to scan | No |
| Meta Data | Additional metadata for the scan (optional) | No |
| Scan Tag | Tag to identify the scan (optional) | No |
| Start Scan | Toggle to start the scan immediately on Veracode side | No |
| Fork Default Branch | Enable to fork the default branch before scanning | No |
Scheduler
- Now: Run the scan immediately after saving.
- Custom Date: Schedule the scan for a specific date and time.
Webhook (Optional)
Enable webhook to trigger scans via actions taken on your application lifecycle management tool:
- Check the Trigger scans via actions checkbox.
- Select the Platform (e.g., GitHub, GitLab, Bitbucket).
- Click Generate to create a Secret Key for webhook authentication.
KDT Command
You can also trigger Veracode scans from your CI/CD pipeline using KDT:
kdt scan -p <project_name> -t veracode -b <branch_name>
Click Save to create the scan configuration.
Troubleshooting
Connection Fails
- Invalid Credentials: Verify that both the API ID and Secret Key are correct and have not been regenerated.
- Wrong Region: Ensure you selected the correct region (US or European) matching your Veracode account.
- Expired Credentials: Veracode API credentials may expire. Regenerate them from the Veracode platform if needed.
- Network/Firewall: Ensure the Invicti AppSec instance can reach the Veracode API endpoints (
analysiscenter.veracode.comfor US oranalysiscenter.veracode.eufor EU).
Scan Issues
- No Applications Found: Verify the API credentials have the Results API role assigned.
- Scan Not Appearing: Veracode scans may take time to complete. Ensure the scan has finished on the Veracode side before importing.
- Missing Findings: Check that the scan policy in Veracode includes the desired flaw categories.
Best Practices
- Use API Service Accounts: Create dedicated API credentials for the Invicti AppSec integration instead of using personal credentials.
- Rotate Credentials Regularly: Regenerate API ID and Secret Key periodically as part of your security hygiene.
- Select Correct Region: Double-check your region selection; using the wrong region will result in authentication failures.
- Assign Minimal Permissions: Grant only the necessary API roles (e.g., Results API) to the service account.
Limitations
- API Rate Limits: Veracode enforces API rate limits. High-frequency scanning may be throttled.
- Scan Binding: Each Invicti AppSec scan configuration is bound to a specific Veracode application and sandbox.
- Region Lock: Credentials are region-specific; US credentials do not work with EU endpoints and vice versa.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center