Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Veracode DAST Integration
Veracode Dynamic Analysis (DAST) is a cloud-based web application scanning service that identifies runtime vulnerabilities in web applications and APIs. This integration allows Invicti AppSec to trigger Veracode Dynamic Analysis scans and import results.
Prerequisites
| Field | Description |
|---|---|
| API ID | Veracode API ID from your account credentials |
| API Key | Veracode API Key paired with the API ID |
Get API Credentials (on Veracode Side)
- Log in to the Veracode Platform.
- Click your username in the upper right corner.
- Select API Credentials from the dropdown menu.
- Click Generate API Credentials.
- Copy both the API ID and API Key — the key is shown only once.
Veracode API credentials are generated per user. Use credentials from a service account or integration-specific account.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Veracode DAST
Scroll through the list of DAST/API scanners to find Veracode DAST.
- If Veracode DAST is not activated, you will see an "Activate" button. Click it to enable the integration.
The scan method badge on the Veracode DAST card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Veracode DAST card to open the configuration panel. Fill in the required fields:
- ID: Enter your Veracode API ID.
- Secret Key: Paste your Veracode API secret key.
- Region: Select your Veracode region (Commercial for
api.veracode.com, European forapi.veracode.eu, or United States Federal forapi.veracode.us).
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the credentials are valid.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Veracode DAST |
| 4 | Enter API ID and API Key |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Veracode DAST Scanner
- Select DAST/API as the scanner type.
- Choose Veracode DAST from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Start Scan | Toggle to create a new Dynamic Analysis (disabled = bind to existing) | No |
| Analysis | Existing Veracode Dynamic Analysis to bind to (if Start Scan is off) | Conditional |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t veracodedast -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API credentials | Regenerate API credentials from the Veracode Platform and update the integration |
| Account not authorized | Ensure the account has the Dynamic Analysis API role assigned |
| Region mismatch | Confirm you are using credentials from the correct Veracode region (US, EU) |
| Network access | Ensure outbound access to api.veracode.com on port 443 is permitted |
Scan Issues
| Issue | Resolution |
|---|---|
| No analyses found | Verify the service account has access to the target analysis in Veracode |
| Scan not starting | Confirm the target URL is reachable from Veracode's scanning infrastructure |
| Empty results | Check that the Dynamic Analysis completed successfully in the Veracode Platform |
| Permission denied | The account requires the Dynamic Analysis API or Creator role |
Best Practices
- Use a dedicated service account with the Dynamic Analysis API role.
- Store API credentials securely; never share them across teams.
- Rotate API credentials annually or upon personnel changes.
- Ensure the target applications are publicly accessible or configure Veracode's internal scanning agent for private applications.
- Define scan schedules that align with your release cycles.
Limitations
- Veracode Dynamic Analysis requires the target application to be accessible from Veracode's cloud scanning infrastructure or via an internal scanning agent.
- API credentials are region-specific; US and EU accounts use different API endpoints.
- Concurrent scan limits are governed by your Veracode subscription tier.
- Some advanced configurations (e.g., crawl scripts, authentication configurations) must be set up directly in the Veracode Platform.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center