Veracode DAST Integration
Veracode Dynamic Analysis (DAST) is a cloud-based web application scanning service that identifies runtime vulnerabilities in web applications and APIs. This integration allows Invicti ASPM to trigger Veracode Dynamic Analysis scans and import results.
Prerequisites
| Field | Description |
|---|---|
| API ID | Veracode API ID from your account credentials |
| API Key | Veracode API Key paired with the API ID |
How to Get API Credentials (on Veracode Side)
-
Log in to the Veracode Platform .
-
Click your username in the upper right corner.
-
Select API Credentials from the dropdown menu.
-
Click Generate API Credentials.
-
Copy both the API ID and API Key — the key is shown only once.
Note: Veracode API credentials are generated per user. Use credentials from a service account or integration-specific account.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Veracode DAST
Scroll through the list of DAST/API scanners to find Veracode DAST.
-
If Veracode DAST is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Veracode DAST card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Veracode DAST card to open the configuration panel. Fill in the required fields:
-
ID: Enter your Veracode API ID.
-
Secret Key: Paste your Veracode API secret key.
-
Region: Select your Veracode region (Commercial for
api.veracode.com, European forapi.veracode.eu, or United States Federal forapi.veracode.us).
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the credentials are valid.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Veracode DAST |
| 4 | Enter API ID and API Key |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Veracode DAST Scanner
- Select DAST/API as the scanner type.
- Choose Veracode DAST from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Start Scan | Toggle to create a new Dynamic Analysis (disabled = bind to existing) | No |
| Analysis | Existing Veracode Dynamic Analysis to bind to (if Start Scan is off) | Conditional |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t veracodedast -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API credentials | Regenerate API credentials from the Veracode Platform and update the integration |
| Account not authorized | Ensure the account has the Dynamic Analysis API role assigned |
| Region mismatch | Confirm you are using credentials from the correct Veracode region (US, EU) |
| Network access | Ensure outbound access to api.veracode.com on port 443 is permitted |
Scan Issues
| Issue | Resolution |
|---|---|
| No analyses found | Verify the service account has access to the target analysis in Veracode |
| Scan not starting | Confirm the target URL is reachable from Veracode's scanning infrastructure |
| Empty results | Check that the Dynamic Analysis completed successfully in the Veracode Platform |
| Permission denied | The account requires the Dynamic Analysis API or Creator role |
Best Practices
- Use a dedicated service account with the Dynamic Analysis API role.
- Store API credentials securely; never share them across teams.
- Rotate API credentials annually or upon personnel changes.
- Ensure the target applications are publicly accessible or configure Veracode's internal scanning agent for private applications.
- Define scan schedules that align with your release cycles.
Limitations
- Veracode Dynamic Analysis requires the target application to be accessible from Veracode's cloud scanning infrastructure or via an internal scanning agent.
- API credentials are region-specific; US and EU accounts use different API endpoints.
- Concurrent scan limits are governed by your Veracode subscription tier.
- Some advanced configurations (e.g., crawl scripts, authentication configurations) must be set up directly in the Veracode Platform.
Updated about 2 hours ago