Veracode DAST V2 Connector

The Veracode connector bridges application security and risk management by automatically ingesting DAST findings from Veracode into Qualys ETM for centralized analysis. This integration eliminates manual data transfer between platforms, enabling security teams to consolidate application vulnerabilities alongside other risk data for unified prioritization and remediation tracking.

By normalizing Veracode issues through TruRisk-based scoring, the connector helps practitioners quickly identify which application flaws pose the greatest risk to their environment. This automation reduces operational overhead while improving visibility into application security posture across the enterprise.

Connector Details

High-level metadata for the Veracode DAST V2 connector.

Vendor Veracode
Product Name Veracode DAST
Category Application Security
Findings Support Supported
Supported Assets Web Applications
Version 1.0.0
Integration Type API Integration (REST)
Direction Unidirectional
Delta Support Not Supported
Supported Version & Type SaaS (Latest)
Import of Installed Software Not Supported
Import of Source Tags Not Supported
Filters/Filter Query Not Supported

Configure the Connector

The connector is configured through a 3-step wizard in Qualys ETM. A valid connection test is required before proceeding.

Before You Begin - AuthenticationBefore You Begin - Authentication

Complete the following prerequisites before configuring the connector in Qualys ETM.

  • Ensure you have access to the Veracode Platform with permissions to generate API credentials.
  • Confirm that Qualys cloud can reach api.veracode.com over HTTPS (port 443).
  • Note that only vulnerability and asset data from the last 6 months is imported due to Veracode API limitations.

Generating API Credentials in Veracode

  1. Sign in to the Veracode Platform.
  2. From the user account dropdown at the top right, select API Credentials.
  3. Click Generate API Credentials.
  4. Copy both the ID and secret key to a secure location immediately. These credentials are used to authenticate API calls and should be stored safely.

    Important: The secret key is shown only once. If you navigate away without copying it, you must generate a new credential pair, which will revoke the previous set.

  5. If your organization uses SAML-based SSO, you may use these same credentials directly rather than creating a separate service account.
  6. Optionally, you can also generate Veracode API credentials using the Veracode Identity API.

Note: Qualys recommends using a dedicated Veracode service account to generate API credentials for the connector. This ensures the connector is not affected if a user's account is modified or deactivated.

Permissions Required

The Veracode API credentials must have the read:vulnerabilities permission to access vulnerability findings data. The API credentials inherit the permissions of the user account that generated them.

Scope and Data Access

The connector calls two Veracode API endpoints:

  • The applications and findings endpoint (https://api.veracode.com/appsec/v2/applications/${app_guid}/findings) – retrieves per-application vulnerability data.
  • The analytics report endpoint (https://api.veracode.com/appsec/v1/analytics/report) – retrieves findings reports.

Only data from the last 6 months is imported due to Veracode API limitations. The data flow is unidirectional, from Veracode to Qualys ETM. Delta synchronization is not supported; each run performs a full pull.

Key Rotation

When rotating API credentials, generate new credentials in the Veracode Platform under API Credentials. Note that generating new credentials automatically revokes the previous set. Update the API ID and API Key in Qualys ETM via the Edit Connector option immediately after rotation to avoid connector failures.

Create a Profile & ConnectionCreate a Profile & Connection

This step configures the connector's identity and authenticates with the Veracode source system.

  1. Log in to Qualys ETM.
  2. Navigate to Connectors > Integration.
  3. Locate Veracode DAST Connector and click Manage.

    Note: If the connector has already been added, click the connector name to open its configuration instead of clicking Manage.

  4. Click Proceed to Setup on the setup guide, then click Create Veracode DAST V2 Connection.
  5. Complete the Connector Details and Authentication Details fields described in the tables below.
  6. Click Test Connection to validate credentials and network reachability.
  7. After a successful connection test, click Next.

Connector Details

Field Type Description
Name String A unique display name for this connector instance. Example: Veracode DAST V2260506101231531
Description String Optional free-text description of the connector's purpose. Maximum 200 characters.

Authentication Details

Enter the user token credentials generated from the Veracode Platform.

Field Type Description
API ID String The API ID generated from the Veracode Platform user account dropdown under API Credentials. Example: edae2b9b3ef059b0ec3f4e8ad1dd9164
API KEY Encrypted String The API secret key paired with the API ID above. Generated at the same time as the API ID. Stored encrypted in Qualys ETM.

Important: The API Key (secret key) is displayed only once in the Veracode Platform at the time of generation. Ensure you copy and store it securely before closing the credentials dialog. If lost, you must generate a new credential pair, which revokes the existing one.

Test Connection

Click Test Connection after entering credentials. The following checks are performed:

  • Network Reachability — Verifies that the connector endpoint is reachable over HTTPS (port 443).
  • TLS Handshake — Confirms that a secure TLS connection can be established with the remote endpoint.
  • Authentication Credential Check — Validates the configured credentials against the source system's authentication endpoint.
  • Authorization Scope Check — Confirms that the provided credentials have the required permissions to access the configured data scope.
  • Data Fetch — Verifies that data can be successfully retrieved from the source system using the configured connection.

Note: If the connection test fails, verify that Qualys cloud can reach api.veracode.com over HTTPS (port 443) and that the API credentials have not been revoked or regenerated since they were entered.

Set the Scope & ScheduleSet the Scope & Schedule

Configure which data to synchronize and when the connector should run.

  1. Under Data to Sync, the connector ingests Assets (Applications) and Vulnerabilities by default. These options reflect what this connector pulls as shown in the setup guide.
  2. Set the Status to Active or Inactive.
  3. Configure the Schedule as a single occurrence or recurring run.

    Note: Schedule times are in UTC. Only vulnerability and asset data from the last 6 months is imported per Veracode API limitations, regardless of the schedule frequency configured.

  4. Click Next to proceed to the review step.
  5. Review your changes and click Create.

Advanced Settings

Note: Advanced Settings are available after the connector is created. Click Save after making any changes in the Advanced Settings tabs.

Filters Tab

The Filters tab is present in the Advanced Settings for this connector. However, the Veracode DAST V2 connector does not currently support filter queries. All available DAST findings and web application assets from the last 6 months are retrieved on each run.

Transform Map Tab

The Transform Map tab displays the active transformation map applied when ingesting Veracode data into Qualys ETM. The active map for this connector is the Veracode DAST V2 default transformation map, fetched from the database at runtime.

Veracode DAST V2 – Asset Transformation MapVeracode DAST V2 – Asset Transformation Map

Veracode DAST V2 – Vulnerability Findings Transformation MapVeracode DAST V2 – Vulnerability Findings Transformation Map

How the Connection Works

The Veracode DAST V2 connector retrieves Web Application asset records and associated DAST vulnerability findings from Veracode and imports them into Qualys ETM. Only data from the last 6 months is ingested due to Veracode API limitations. Each scheduled or on-demand run performs a complete data pull; incremental (delta) synchronization is not available for this connector.

Connector States

A successfully configured connector progresses through the following states:

  1. Registered – The connector has been successfully created and registered to fetch data from Veracode.
  2. Scheduled – The connector is queued to execute a connection with Veracode according to its configured schedule.
  3. Processing – The connection is executing and the connector is actively fetching asset and findings data.
  4. Processed – The connector has successfully fetched assets. Findings may still be importing in the background; allow additional time before verifying findings in ETM.

Note: The first run after connector creation may take up to 2 hours to complete. The Processed state confirms that asset data has been fetched, but findings ingestion may still be in progress. Wait for findings to appear in ETM before assuming the run is incomplete.

Viewing Assets and Findings in ETM

View Assets

Navigate to Enterprise TruRisk Management > Inventory > Assets. Use the following inventory filter to display Veracode-sourced assets:

inventory:(source:"Veracode")

View Findings

Navigate to Enterprise TruRisk Management > Risk Management > Findings > Vulnerability. Use the following filter to list Veracode DAST findings:

findings.vendorProductname:"Veracode DAST"

Troubleshooting

Issue Resolution
Authentication failure on connector run Verify that the API ID and API Key entered in Qualys ETM match the currently active credentials in Veracode. Generating new API credentials in Veracode automatically revokes the previous set. If credentials were recently regenerated, update the connector configuration with the new values via Edit Connector.
No assets or findings imported after first run The connector transitions through Registered, Scheduled, Processing, and Processed states. The entire process may take up to 2 hours to complete. Verify that Veracode has DAST scan results available within the last 6 months, as older data is not imported due to Veracode API limitations. Confirm the connector has reached the Processed state before investigating further.
Connection test fails Verify Qualys cloud can reach api.veracode.com over HTTPS (port 443). Confirm the API credentials have not been revoked or regenerated since they were entered in the connector configuration.
Assets appear in ETM but findings are missing Findings ingestion continues after the connector reaches the Processed state. Allow additional processing time. Also confirm that the Veracode user account associated with the API credentials has the read:vulnerabilities permission and that scan results exist within the last 6 months.

Additional Information

API Reference

The following Veracode REST API endpoints are called during each connector execution.

Function Endpoint

Notes

Get Applications https://api.veracode.com/appsec/v1/applications

Returns all applications accessible to the authenticated user.

Get Application Findings https://api.veracode.com/appsec/v1/analytics/report

Returns SCA findings for the specified application. Example GUID: f84d8ef9-6695-4342-9321-983e1e048315. Limited to the past six months.

Note: Only vulnerability and asset data from the last 6 months is imported due to Veracode API limitations.