Veracode Static Analysis (SAST) Connector
The Veracode SAST Connector bridges a critical gap between code analysis and enterprise risk management by integrating static application security testing findings into Qualys Enterprise TruRisk Management. It addresses the challenge of fragmented security visibility by consolidating code repository assets and their associated vulnerabilities into centralized visibility of code repository assets within a unified inventory framework.
For security teams, this means eliminating manual data aggregation across tools and enabling risk prioritization based on a complete view of application vulnerabilities. The automatic synchronization of vulnerability data enables continuous monitoring and faster remediation workflows without requiring delta support or maintaining multiple disconnected security platforms.
Connector Details
The following table provides a high-level overview of the Veracode Static Analysis (SAST) Connector.
| Vendor | Veracode |
| Product Name | Veracode SAST |
| Category | Application Security |
| Findings Supported | Yes |
| Assets Supported | Code Repository |
| Version | 1.0.0 |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Veracode to Qualys) |
| Delta Support | Not Supported |
Configure the Connector
The connector setup wizard consists of three steps. A successful Test Connection is required before you can advance.
Before You Begin - AuthenticationBefore You Begin - Authentication
Complete the following prerequisites before configuring the connector in Qualys ETM.
- Ensure you have access to the Veracode Platform with permissions to generate API credentials.
- Generate API credentials in Veracode (see Generating API Credentials in Veracode below).
- Contact your Technical Account Manager (TAM) or Qualys Support to activate the connector for your subscription.
- Confirm network connectivity: the Qualys cloud must be able to reach
api.veracode.comover HTTPS (port 443).
Generating API Credentials in Veracode
You must generate API credentials from the Veracode Platform before configuring the connector. If you use SAML-based single sign-on, you can use these API credentials instead of a separate service account.
Note: It is recommended to generate credentials under a dedicated Veracode service user account rather than a personal account. This ensures credentials remain valid if the generating user's account changes.
- Sign in to the Veracode Platform at
https://analysiscenter.veracode.com.
- Click your account dropdown in the upper-right corner and select API Credentials.
- Click Generate API Credentials.
- Copy both the API ID and the Secret Key to a secure location immediately.
Important: The Secret Key (API Key) is displayed only at the time of generation. It cannot be retrieved again after you navigate away. Store it securely before proceeding.
For additional guidance, see the Veracode API Credentials Documentation.
Permissions Required
The Veracode account used to generate the API credentials must have the following minimum permission. The API credentials inherit the permissions of the user account that generated them.
| Entity Type | Required Permission |
| VulnerabilityFindings | read:vulnerabilities |
Scope and Data Access
The connector retrieves findings from the following Veracode API endpoints:
| Function | Endpoint |
| Get Applications | https://api.veracode.com/appsec/v1/applications |
| Get Application Findings | https://api.veracode.com/appsec/v2/applications/${app_guid}/findings |
| Get Findings Report | https://api.veracode.com/appsec/v1/analytics/report |
Only findings from the past six months are available due to Veracode API limitations. The default asset type ingested is CODE_REPO.
Key Rotation
When rotating API credentials, generate a new set from the Veracode Platform via your account dropdown > API Credentials. Then update the API ID and API Key in Qualys ETM using the Edit Connector option. Regenerating credentials automatically revokes the previous set; update ETM promptly to avoid connector failures.
Create a Profile & ConnectionCreate a Profile & Connection
Configure the connector's identity and authenticate with the Veracode source system.
- Log in to Qualys ETM.
- Navigate to Connectors > Integration.
- Locate the Veracode Static Analysis (SAST) Connector and click Manage.
Note: If the connector does not appear in the list, activation has not been completed for your account. Contact your TAM or Qualys Support.
- Click Proceed to Setup, then click Create New Connection (or select an existing connection to edit).
Connector Details
Complete the following fields in the Connector Details section:
| Name | A unique display name for this connector instance. Example: Veracode Static Analysis (SAST)260506101618518 |
| Description | Optional. A brief description of the connector's purpose (up to 164 characters). |
Authentication Details
Under Auth Details – Enter User Token, provide the following fields:
| Field | Type | Description |
| API ID | String | The API ID associated with your Veracode user profile, generated from the Veracode Platform. Example: edae2b9b3ef059b0ec3f4e8ad1dd9164 |
| API KEY | Encrypted String | The Secret Key (API Key) associated with your Veracode user profile. This value is masked after entry and must be re-entered if the connector is edited. |
After entering both credentials, click Test Connection. The connector runs the following checks:
- Network Reachability — Verifies that the connector endpoint is reachable over HTTPS (port 443).
- TLS Handshake — Confirms that a secure TLS connection can be established with the remote endpoint.
- Authentication Credential Check — Validates the configured credentials against the source system's authentication endpoint.
- Authorization Scope Check — Confirms that the provided credentials have the required permissions to access the configured data scope.
- Data Fetch — Verifies that data can be successfully retrieved from the source system using the configured connection.
All checks must pass before you can proceed to Step 2. If the Authentication Credential Check fails, verify that the API ID and API Key entered in Qualys ETM match the current credentials in Veracode. If credentials were recently regenerated, the previous set is automatically revoked – enter the new set and re-test.
Once all checks pass, click Next to proceed to the next step.
Set the Scope & ScheduleSet the Scope & Schedule
Configure the data scope and synchronization schedule for this connector instance.
- Under Data to Sync, the data types the connector retrieves:
- Assets (Applications) – Code repository application records from Veracode.
- Vulnerabilities – SAST findings associated with each application.
- Set the Schedule for connector execution:
- Single occurrence (run once at a specified date and time), or
- Recurring execution – specify start date, end date, and recurrence interval.
- Click Next to proceed review your changes.
- Click Create to set up your connector.
Note: The asset type is fixed as CODE_REPO. This default cannot be changed during connector configuration.
Advanced Settings
Advanced Settings are accessible from the connector's edit view after the connector has been created. Changes to Advanced Settings take effect on the next scheduled execution.
Note: Remember to click Save after making any changes in the Advanced Settings tabs.
Filters Tab
The Veracode SAST Connector does not currently support filter queries. The Filters field is present in the connector configuration interface, but custom filtering is not supported during connector configuration. All available findings within the past six months are retrieved on each execution.
Transform Map Tab
The connector uses a default transformation map (Veracode SAST – Default) stored in the system database. This map controls how Veracode source fields are translated to the Qualys ETM schema during each execution.
Veracode Transfrormation MapVeracode Transfrormation Map
The Veracode SAST Connector uses a default transformation map stored in the database to map source fields to the schema during execution.
| Source Field | Target Field |
|---|---|
| guid | externalAssetId |
| app_name | assetDetail.name |
| finding_id | externalFindingId |
| flaw_name | findings[].name |
| cweId | findings[].finding_details.cwe.id |
| severity | findingGroup.findings[].severity |
| status | findingGroup.findings[].findingStatus |
| found_date | findingGroup.findings[].firstFoundOn |
| last_found_date | findingGroup.findings[].lastFoundOn |
How the Connection Works
The Veracode SAST Connector ingests code repository security findings from Veracode Static Analysis scans into Qualys ETM for unified risk analysis and prioritization. Each run retrieves code repository assets (Applications) and associated SAST vulnerability findings from Veracode. Findings include finding ID, flaw name, CWE IDs, severity, status, found date, and last found date.
The connector retrieves findings from the past six months only, due to Veracode API limitations. The default asset type is CODE_REPO. Custom filtering is not supported during connector configuration.
On each scheduled execution (or on-demand trigger), the connector fetches Veracode SAST findings and imports them into Qualys ETM. The Veracode SAST Connector performs a full pull on every execution – delta (incremental) sync is not supported. Qualys ETM processes the ingested data by de-duplicating redundant entries, normalizing data formats, enriching findings with additional context, and calculating TruRisk scores.
Connector States
A successfully configured connector transitions through the following states:
- Registered – The connector is successfully created and registered to fetch data from Veracode.
- Scheduled – The connector is queued and scheduled for its next execution run.
- Processing – An active connection has been established and the connector is fetching asset and findings data from Veracode.
- Processed – The connector has successfully fetched assets. Findings import may still be in progress. Allow additional time for all findings to be fully imported into ETM.
Note: The initial synchronization process – including both asset and findings import – may take up to 2 hours to complete after the connector first reaches the Processed state. The Processed state confirms assets have been fetched, but findings may continue importing in the background.
Viewing Assets and Findings in ETM
Once the connector has completed processing, imported data is available in Qualys ETM.
Assets
Navigate to Enterprise TruRisk Management > Inventory > Assets > Application > Other Applications to view imported Veracode code repository assets. Use the following inventory filter to scope the view:
inventory:(source:"Veracode")
Findings
Navigate to Risk Management > Findings > Vulnerability to view imported SAST findings. Use the following filter to scope results to Veracode:
findings.vendorProductname:"Veracode Static Analysis"
Troubleshooting
Use the following table to diagnose and resolve common issues with the Veracode SAST Connector.
| Authentication failure on connector run | Verify that the API ID and API Key entered in Qualys ETM match the current credentials in Veracode. If credentials were recently regenerated, the previous set is automatically revoked. Confirm the Veracode account has the read:vulnerabilities permission on the VulnerabilityFindings entity type. Update the credentials in ETM via Edit Connector and re-run Test Connection. |
| No findings imported after first run | The connector transitions through Registered, Scheduled, Processing, and Processed states. The entire process may take up to 2 hours for completion. The Processed state indicates assets have been fetched, but findings import may still be in progress. Wait and check again after 2 hours. |
| Only recent findings appear | The Veracode API limits data retrieval to the past six months. Findings older than six months will not be imported by this connector. This is a Veracode platform restriction and cannot be overridden by connector configuration. |
| Connector not available in the integrations list | The connector requires activation on your Qualys account. Contact your Technical Account Manager (TAM) or Qualys Support to activate it for your subscription. |
Additional Information
API Reference
The following Veracode REST API endpoints are called during each connector execution:
| Function | Endpoint |
Notes |
|---|---|---|
| Get Applications | https://api.veracode.com/appsec/v1/applications |
Returns all applications accessible to the authenticated user. |
| Get Application Findings | https://api.veracode.com/appsec/v1/analytics/report |
Returns SCA findings for the specified application. Example GUID: |
For full API documentation, see the Veracode REST API Reference.