Veracode Static Analysis (SAST)
The Veracode SAST Connector bridges a critical gap between code analysis and enterprise risk management by integrating static application security testing findings into Qualys Enterprise TruRisk Management. It addresses the challenge of fragmented security visibility by consolidating code repository assets and their associated vulnerabilities into centralized visibility of code repository assets within a unified inventory framework.
For security teams, this means eliminating manual data aggregation across tools and enabling risk prioritization based on a complete view of application vulnerabilities. The automatic synchronization of vulnerability data enables continuous monitoring and faster remediation workflows without requiring delta support or maintaining multiple disconnected security platforms.
Connector Details
The following table provides a high-level overview of the Veracode SAST Connector.
| Vendor | Veracode |
| Product Name | Veracode SAST |
| Category | Assets |
| Findings Supported | Code Repository Vulnerabilities |
| Assets Supported | Code Repository |
| Version | 1.0.0 |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Veracode to Qualys) |
| Delta Support | Not Supported |
Due to Veracode API limitations, the connector imports vulnerability data for the last six months only.
Connection Settings
User Roles and Permissions
You must generate API credentials before you can use the APIs and some integrations.
If you use single sign-on with SAML, you can use the ID and key credentials instead of having to use a separate Veracode Platform API service account to access the APIs.
You can also generate Veracode API credentials with the Identity API.
To complete this task:
- Sign in to the Veracode Platform.
- From the user account dropdown, select API Credentials.
- Select Generate API Credentials.
- Copy the ID and secret key to a secure place.
Reference: Veracode API Credentials Documentation
Authentication Details
Provide the following credentials on the connector configuration screen:
| Name | Key | Type | Description |
|---|---|---|---|
| API ID | api_id |
String | API ID associated with the Veracode user profile |
| API Key | api_key |
Encrypted String | API Key associated with the Veracode user profile |
Required Permissions
| Entity Type | Permissions |
|---|---|
| Vulnerability Findings | read: vulnerabilities |
Connector Configuration
Basic Details
- Log in to Qualys ETM.
- Navigate to Connectors > Integration.
- Locate the Veracode SAST Connector and click Manage.
- Provide a Connector Name and Description.
- Enter the API ID and API Key.
Profile Configuration
Profiles control when and how the connector executes.
- Provide a Profile Name and Description.
- Set the Status to Active or Inactive.
- Configure a Schedule:
- Single occurrence, or
- Recurring execution with start and end date/time
- The asset type is set to CODE_REPO by default.
Review and Confirm
Review the configuration details and click Create to activate the connector.
How Does the Connection Work?
On schedule (or on-demand), the connector fetches Veracode SAST findings and imports them into ETM. Profiles define what is synchronized and when. The Veracode Sast connector performs a full pull on each execution.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets; it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.
This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).
Viewing Assets and Findings in ETM
Assets
Navigate to Enterprise TruRisk Management > Inventory > Assets > Application > Other Applications to view imported Veracode code repositories.
Findings
Navigate to Risk Management > Findings > Vulnerability
Use the following filter: finding.vendorProductName:"Veracode"
API Endpoints
Here are the APIs executed for the Veracode SAST connection.
| Function | Endpoint |
|---|---|
| Get Applications | https://api.veracode.com/appsec/v2/applications/${app_guid}/findings |
| Get Findings Report | https://api.veracode.com/appsec/v1/analytics/report |
Transformation Map
The Veracode SAST Connector uses a default transformation map stored in the database to map source fields to the schema during execution.
| Source Field | Target Field |
|---|---|
| guid | externalAssetId |
| app_name | assetDetail.name |
| finding_id | externalFindingId |
| flaw_name | findings[].name |
| cweId | findings[].finding_details.cwe.id |
| severity | findingGroup.findings[].severity |
| status | findingGroup.findings[].findingStatus |
| found_date | findingGroup.findings[].firstFoundOn |
| last_found_date | findingGroup.findings[].lastFoundOn |