Skip to main content
All CollectionsConnectorsApplication Security (SCA/SAST/DAST)
Cycode Connector
Cycode Connector
Updated this week

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

To open the correct user guide for your setup and version, go to the connector's setup page and click How to connect.

Connector details

About Cycode

Cycode delivers a complete Application Security Posture Management (ASPM) platform that can replace or integrate with existing testing tools. It provides visibility, prioritization, and remediation of vulnerabilities at scale.

Support scope

Supported products

SAST, SCA, Secrets

Category

Application Security - SCA + SAST

Ingestion type

Assets and vulnerabilities

Ingested asset type(s)

Cycode’s repositories are mapped into Vulcan’s Code Projects and their detected SAST, SCA, and Secrets violations.

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • API user (member) with Viewer permission.

  • API Client ID and Secret ID

Creating a user with the appropriate permissions

To create a user with the necessary permissions, follow these steps:

  1. Go to the Cycode platform > Settings > Members.

  2. Click Invite Members.

  3. Set the user details with a Viewer role/permission.

  4. Send the invitation to create the user.

Generating client ID and secret

To generate the client ID and client secret, follow these steps:

  1. Go to the Cycode platform.

  2. Click on the generated user icon and select Personal Access Token.

  3. Click New Access Token.

  4. Provide a name for the access token and click Create.

  5. Copy the client ID and client secret to use later in the connector's configuration.

Configuring the Cycode connector

  1. Login to the Vulcan ExposureOS platform and go to Connectors > Add a Connector

  2. Click on the Cycode icon.

  3. Set up the Connector as follows:

    1. If a gateway is required, refer to the Vulcan Gateway guide to configure the gateway before proceeding. If not, continue following the steps in this guide.

    2. Enter the Client ID and Secret you generated earlier.

      Example:

  4. Data pulling configuration:

    This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.

    • Check the data you want to ingest into the Vulcan ExposureOS platform (Secrets, SAST, and SCA)

    • Asset Retention: Configure the retention period for inactive assets based on their last seen date. If an asset has not been detected or updated in a scan within the specified days, it will be automatically removed from the Vulcan ExposureOS platform. This ensures your asset inventory stays current and relevant.

    • Select the asset statuses the Vulcan ExposureOS platform should archive when detected during synchronization with Cycode.

      Example:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Cycode instance.

    Notes:

    • A successful connectivity test confirms that the platform can connect to the Cycode instance. However, it does not guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.

      Example:

    • If the connectivity test fails, an error message with details about the issue will appear. Click the arrow next to the error message for more information about the exact error.

      Example:

  6. Connector scheduling: Set the connector's sync time and days. By default, all days are selected.

    Example:

  7. Click Create to start syncing the new connector, or Save Changes if editing an existing connector.

  8. Allow some time for the sync to complete. Then, you can review the sync status on the Connectors main page or under Connector sync logs on the connector's specific setup page.

    Example:

  9. To confirm the sync is complete, navigate to the Connectors page. The sync is complete once the Cycode icon shows Connected.

    Example:

Cycode in the Vulcan platform

Viewing findings

To view findings (instances) ingested by the Cycode connector:

  1. Go to the Findings page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > Cycode.

    Example:

You can also:

Viewing vulnerabilities

To view vulnerabilities ingested by the Cycode connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Source > is > Cycode.

    Example:

You can also:

Viewing assets

To view assets ingested by the Cycode connector:

  1. Go to the Assets page.

  2. Click on Filter and set the condition to Asset > Source > is > Cycode.

    Example:

You can also:

Taking action on vulnerabilities and assets

To take remediation action on vulnerabilities and assets ingested by Cycode:

  1. Go to the Vulnerabilities or Assets Page.

  2. Use the Filter to view the assets/vulnerabilities by source. You can always filter by Business Group and add more filters to narrow your search.

  3. Select the relevant vulnerabilities/assets from the results list.

  4. Click on Take Action to proceed with remediation or further actions.

    Example:

Automating remediation actions on vulnerabilities

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.

Data Mapping

The Vulcan Platform integrates with Cycode through an API that pulls relevant vulnerability and asset data and maps it to the platform's pages and fields. The vulnerabilities and/or assets data is ingested from the vendor platform and mapped into the Vulcan ExposureOs platform.

Code Project data mapping

Asset data

Cycode API field

Cycode UI field

Vulcan field

scm_repository_id

-

Asset Uniqueness criteria

scm_repository_name

Repository name

Code Project Name (name)

scm_repository_language

primary language

Code Project Language (language)

scm_repository_scm_created

first seen

Code Project First Seen (first_seen)

scm_repository_scm_modified

last scan

Code Project Last report (last_seen)

Source - Repo-Org scm_organization_scm_provider

Organization - Repo-Org scm_organization_name

Code Repo Owners - Repo-User scm_member_name

Technologies - Repo-Tech sdlc_tool_name

Visibility - scm_repository_is_private

URL link - scm_repository_url

Location (Source, Organization)
Code Repo Owners
Technologies
Visibility
URL link

Code Project details(added_data)

Labels - Repo-Label label_label_name

Labels

Code Project Tags - Vendor’s tags (tags)

Repo-User scm_member_name

Organization - Repo scm_organization_name

repo owners

repo organization

Code Project Tags - Additional (tags)

detection_details.branch_name + detection_detection_details.file_name

file name (In this case, Secrets are also SAST)

Asset codebase - Source (SAST) (sast_file_name)

detection_detection_details.line

file location (In this case, Secrets are also SAST)

Asset codebase - Location (SAST) (sast_file_location)

detection_detection_details.package_name

Package name

Asset libraries - Name (SCA)

(component_name)

detection_detection_details.package_version

Package version

Asset libraries - Version (SCA)

(component_version)

Unique vulnerability data

Cycide API field

Cycode UI field

Vulcan field

SCA: detection_detection_details.vulnerability_id

SAST + Secrets:

detection_source_policy_name

-

Unique Vulnerability uniqueness criteria

SCA: detection_detection_details.vulnerability_id

SAST + Secrets:

detection_source_policy_name

SCA - CVE ID

SAST - Policy name

Secret:
secret title

Vulnerability title (title)

detection_severity

Info, Low , Medium, High, Critical

Max risk score

Vulnerability score (cvss_score)

detection_category

Category

Vulnerability details(added_data)

detection_detection_details.vulnerability_id

CVE/S (report_item_cve)

detection_detection_details.cwe

CWE

CWE (cwe)

Finding data (asset-instance connection)

Cycode API field

Cycode UI field

Vulcan field

detection_id

-

Vulnerability instance uniqueness criteria

detection_created_date

Detected at

Vulnerability instance First seen (first_seen)

detection_updated_date

last detected

Vulnerability instance Last seen (last_seen)

SDLC stage - detection_correlation_message

description - detection_correlation_message

Location - detection_detection_details.line

Security Tool - detection_security_tools

Category - detection_category

SCA:

  1. Package - detection_detection_details.package_name

  2. Package version - detection_detection_details.package_version

  3. Dependancy paths - detection_detection_details.vulnerable_component

  4. Dependancy version - detection_detection_details.vulnerable_component_version

  5. CVSS score - detection_detection_details.cvss_score

  6. Fixed Version - detection_details.vulnerability_fixed_in_version

  7. file path - branch+filename+commit_id+line -detection_details.branch_name + detection_detection_details.file_name

Secrets:

  1. author - detection_detection_details.member_email

  2. user email - detection_detection_details.member_email

  3. secret SHA - detection_detection_details.sha512

  4. file path - branch+filename+commit_id+line -detection_details.branch_name + detection_detection_details.file_name + detection_detection_details.commit_id

  5. secret tags - detection_tags

description

SDLC stage

Location

Security Tool

Category

SCA:
Package
Package version
Dependancy paths
Dependancy version
CVSS score
Fixed Version

SECRET:
author
user email
secret SHA
file path
secret tags

Vulnerability instance details(added_data)

Vulnerability status mapping

Findings (instances) ingested from connectors are mapped into the Vulcan platform by status.

  • Based on detection_status field.

Cycode status

Vulcan status

Open (In the API: Open)

Vulnerable

Resolved (In the API: Resolved)

Fixed

Ignored (In the API: Dismissed)

False positive (ignored)

The statuses are mapped into the Findings page > Show <status> view:


Vulnerability score mapping

Risk scores ingested from connectors are converted into numeric scores and mapped into the Vulcan platform risk score field, eventually impacting the contextualized risk calculation.

  • Based on the detection_severity field

Cycode score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

Info

0

The scores are mapped into the Score field of the Vulnerability details:

Status update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones.

The table below lists how the status update mechanism works in the Cycode for the vulnerabilities and assets in the Vulcan Platform.

Status change

When?

The asset is archived

- Asset not seen for X days according to "Last Seen"

- Asset status on the connector's side indicates irrelevancy (scm_repository_is_scm_archived == 'True')

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings

- Vulnerability status on the connector's side changes to RESOLVED

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support limitations and expected behavior

The integration between Vulcan and Cycode currently supports SCA, SAST, and Secrets.

API endpoints in use

API version: Undeclared in Cycdoe

API

Use in Vulcan

Permission required

Test connection call

https://api.cycode.com/api/v1/auth/api-token

Auth

Viewer

Yes

https://api.cycode.com/report/api/v2/report/standalone-execute

Generate report

Viewer

No

https://api.cycode.com/report/api/v2/report/executions?executions_ids={{report_execution_id}}&include_orphan_executions=true

Get Reports Status

Viewer

No

https://api.cycode.com/files/api/v1/file/reports/{{report_path}}

Get Reports Data

Viewer

No

Data Validation

This section shows how to validate and compare data between Vulcan ExposureOS and the Cycode platform.

Matching Asset Count

Objective: Ensure the number of repositories (assets) in Cycode matches the corresponding assets in Vulcan.

In Cycode:

  1. Go to Inventory > Repositories.

  2. The total number of repositories is displayed on the top right.

    Example:


In Vulcan:
Each repository in Cycode is ingested as an asset into the Vulcan platform.

  1. Go to Assets and filter by connector (Set Where → Asset → Connector to Cycode).

  2. The filtered list in Vulcan should match (or closely align with) the number of repositories in Cycode.

  3. The total number of ingested repositories/assets is displayed at the top left of the result list.

    Example:

Validations if an asset is not present in Vulcan:

  • Archive by date: Ensure the asset is not archived in Vulcan based on an outdated last-seen date (by scm_repository_scm_modified).

  • Archive by status: If the asset is no longer present or valid, confirm that it was removed or deleted.

  • Data pulling configuration: Verify that the relevant data-pulling configurations are correctly set on the connectors setup page. Make sure to click Save Changes if you modify the connector's setup.

Matching vulnerabilities count

Objective: Ensure that vulnerabilities across SCA, SAST, and Secrets categories in Cycode are accurately reflected in Vulcan.

Matching SCA entities

In Cycode:

  1. Go to Violation > SCA.

  2. Group the results by Vulnerability ID and note the number of IDs you see.


    Make sure of the following:

    • No Filters: Ensure no additional filters (e.g., date, severity) are applied when generating reports or viewing data.

    • Full Risk Score Range: To ensure all vulnerabilities are included, use the entire risk score range (0–100).

    • Include All Statuses: Sum vulnerabilities across all statuses (e.g., Open, Resolved, Ignored).


  3. Take note of the count of Vulnerability IDs (Open violations):

  4. Group the results by Policy Name.


  5. By default, the filtered status is "Open". Take note of the number of vulnerability IDs under this status. In this example, it's 383.


  6. Sum Open and Resolved statuses; filter the status also by Resolved and note the number of vulnerability IDs. In this example, there are 2


    Add the count of Open to the Resolved vulnerability Ids; in this example case, it would be 383 + 2 = 385 (total count of vulnerabilities).

  7. Group the results by Policy Name and take note of the total count. In this case, it is 2.


  8. Subtract 1 from the total and add this to the total count of vulnerabilities.
    In this example case, it would be:

    2 Policies - 1 = 1 policy
    385 (total count of vulns) + 1 = 386

    This adjustment accounts for all violations grouped under the "vulnerability found in dependency" policy.

In Vulcan:

  1. Go to Vulnerabilities and filter by Cycode native data (Set Cycode → Vulnerabilities → Category to SCA).


    ​Based on the equation above, the results should show 386 vulnerabilities in this case. The total SCA vulnerability count in Vulcan should match the sum you derived in Cycode.

Matching SAST entities

In Cycode:

  1. Go to Violation > SAST.


    ​Make sure of the following:

    • No Filters: Ensure no additional filters (e.g., date, severity) are applied when generating reports or viewing data.

    • Full Risk Score Range: To ensure all vulnerabilities are included, use the entire risk score range (0–100).

    • Include All Statuses: Sum vulnerabilities across all statuses (e.g., Open, Resolved, Ignored).

  2. Group the results by Policy Name. By default, the filtered status is "Open". Take note of the number of vulnerability IDs under this status. In this example, it's 100.

  3. Sum Open and Resolved statuses; filter the status also by Resolved and note the number of vulnerability IDs. In this example, there is none.

    The total is 100 + 0 = 100

In Vulcan:

  1. Go to Vulnerabilities and filter by Cycode native data (Set Cycode → Vulnerabilities → Category to SAST).

  2. Based on the example above, the results should show 100 vulnerabilities in this case, matching the sum in Cycode.


​​Validations if vulnerability is not present in Vulcan:

  • No asset has this vulnerability: If the asset associated with the vulnerability does not exist in Vulcan (e.g., archived, filtered out, or never ingested), the vulnerability will not appear in Vulcan.

  • Data-pulling configuration: The vulnerability may belong to a category that is not being fetched. For example, if the connector is configured to retrieve only SAST data but you are looking for a Secrets-related vulnerability, it will not be ingested into Vulcan.

Matching Secrets count

In Cyncode:

Due to API limitations in Cyncode, all secrets fall under a single vulnerability category called “Secrets detection.” You cannot group by policy name in Cycode for secrets.


In Vulcan:

  1. Go to Vulnerabilities and filter by Where → Vulnerability → Category = Secrets

Validations if a secret is not present in Vulcan:

  • No asset has this vulnerability: If the asset associated with the vulnerability does not exist in Vulcan (e.g., archived, filtered out, or never ingested), the vulnerability will not appear in Vulcan.

  • Data-pulling configuration: The vulnerability may belong to a category that is not being fetched. For example, if the connector is configured to retrieve only SAST data but you are looking for a Secrets-related vulnerability, it will not be ingested into Vulcan.

Matching Findings ("Violations")

Objective: Validate and compare the number of findings between the vendor’s platform and Vulcan, ensuring alignment across categories (SAST, SCA, and Secrets).

Matching SAST violations

In Cycode:

  1. Go to Discovery and run the SAST query (Violation > Category > Equals > SAST).


    Make sure of the following:

    • No Filters: Ensure no additional filters (e.g., date, severity) are applied when generating reports or viewing data.

    • Full Risk Score Range: To ensure all vulnerabilities are included, use the entire risk score range (0–100).

    • Include All Statuses: Sum vulnerabilities across all statuses (e.g., Open, Resolved, Ignored).

  2. Download the generated CVS.

  3. Open the CSV and note the total number of violations (findings).

In Vulcan:

  1. Go to Findings and filter by Cycode native data (Set Cycode → Findings → Category to SAST). Each violation is considered a finding.

Matching SCA violations

In Cycode:

  1. Go to Discovery and run the SCA query (Violation > Category > Equals > SCA).


    ​Make sure of the following:

    • No Filters: Ensure no additional filters (e.g., date, severity) are applied when generating reports or viewing data.

    • Full Risk Score Range: To ensure all vulnerabilities are included, use the entire risk score range (0–100).

    • Include All Statuses: Sum vulnerabilities across all statuses (e.g., Open, Resolved, Ignored).

  2. Download the generated CVS.

  3. Open the CSV and note the total number of violations (findings).

In Vulcan:

  1. Go to Findings and filter by Cycode native data (Set Cycode → Findings → Category to SCA). Each violation is considered a finding.

Matching secret violations

In Cycode:

  1. Go to Discovery and run the Secret Detection query (Violation > Category > Equals > SecretDetection).


    ​Make sure of the following:

    • No Filters: Ensure no additional filters (e.g., date, severity) are applied when generating reports or viewing data.

    • Full Risk Score Range: To ensure all vulnerabilities are included, use the entire risk score range (0–100).

    • Include All Statuses: Sum vulnerabilities across all statuses (e.g., Open, Resolved, Ignored).

  2. Download the generated CVS.

  3. Open the CSV and note the total number of secrets.

In Vulcan:

  1. Go to Findings and filter by Cycode native data (Set Cycode → Findings → Category to Secrets).

  2. Set the status to All.

  • If a violation/secret is marked as fixed in the vendor’s platform, it will appear under the Fixed screen in Vulcan.

  • If a violation/secret is marked as ignored in the vendor’s platform, it will appear under the Acknowledged screen in Vulcan.

Related Articles
Fortify SAST Connector
Veracode SCA Connector
Snyk Connector (new revision)
Veracode Connector
Qwiet.AI Connector
Did this answer your question?