Skip to main content
Veracode SAST Connector (new revision)
Updated over a week ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.


About Veracode SAST

Veracode provides application developers with robust, cloud-based security analysis tools that can be integrated into the application development process. Our results are accurate and reliable and supported by the Veracode Community and our expert support team

Why integrate Veracode SAST into the Vulcan platform?

The Veracode SAST Connector by Vulcan integrates with the Veracode platform to pull and ingest Code Project assets and their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Veracode SAST Connector Details

Supported products


Application Security - SAST

Ingested asset type(s)

Code Projects

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Creating an API User Account in Veracode SAST

  1. Click on the gear icon and select Admin.

  2. Go to the Users tab and click Add New User.

  3. Enter user details:

    • Provide a descriptive first and last name.

    • Check the Non-Human User box.

    Note: You cannot convert an existing user account to an API service account. A new user account must be created with the Non-Human User checkbox selected.

  4. Enter a valid email address for the API service account. Veracode will use this address to send notifications regarding error messages, password expirations, and other automated messages.

  5. In the User Roles section, select the APIs that the API service account should access.

  6. For the "Restrict Loigin IP" option, select No.

  7. Click Save to create and enable the user account.

    • The user will receive an activation email.

    Note: Before accessing the APIs, users must activate their account, generate API credentials, and enable HMAC authentication.

Configuring the Veracode SAST Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Veracode SAST icon.

  4. Set up the Connector as follows:

    • Enter the Region, API Key ID, and API Secret you generated earlier.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Veracode SAST instance, then click Create (or Save Changes).

  6. The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Veracode SAST icon shows Connected, the sync is complete.

Veracode SAST in the Vulcan Platform

Viewing Veracode SAST vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Connector is Veracode SAST.

Viewing Veracode SAST assets in the Vulcan Platform

Viewing assets by Connector for users with the new platform view (Asset Hub):

  1. Go to the Assets page.

  2. Click on "Filter " and specify the condition as "Assets > Connector is Veracode SAST".

Viewing assets by Connector for users with the older platform view:

  1. Go to the Assets page.

  2. Choose the relevant asset type tab.

  3. Click on "Filter" and specify the condition as "Assets > Connector is Veracode SAST"

You can add more filters to narrow down your search further.
See the complete list of available asset filters.

Click on any asset for more asset details.

Taking Action on vulnerabilities and assets detected by Veracode SAST

To take remediation action on vulnerabilities and assets detected by Veracode SAST:

  1. Go to the Vulnerabilities pr Assets Page.

  2. Use the Filter to filter vulnerabilities by the Veracode SAST connector and display all synced vulnerabilities/assets along with their associated assets/vulnerabilities.

  3. Select the relevant Vulnerabilities/assets out of the results list.

  4. Click on Take Action to proceed with remediation or further actions.

Automating remediation actions on vulnerabilities detected by Veracode SAST

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.

From Veracode SAST to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Veracode SAST through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Code project fields mapping

Veracode SAST field

Vulcan field


Uniqueness criteria

Asset Name

Code Projects

Asset type


Asset codebase - Source (SAST)

file_path + file_line_number

Asset codebase - Location (SAST)

Profile- profile

App Profile Url

Results Url




Asset details


Asset Tags - Vendor’s tags

Team Name

Business Unit

Business Criticality

Asset Tags - Additional

finding_status.status [OPEN, CLOSE]

Asset’s Status


Last report


Vulnerability instance uniqueness criteria


Vulnerability instance first seen


Vulnerability instance Last seen


Vulnerability instance location path

Unique Vulnerability uniqueness criteria

Vulnerability title


Vulnerability score


Vulnerability description








Vulnerability details





CVSS attack vector








Vulnerability instance connection- additional information

Veracode recommendation for {{ name }}

Fix - Title


Fix - Description


Fix - References

Vulnerability status mapping

Veracode SAST Status

Vulcan Status





Vulnerability score mapping

Veracode SAST score

Vulcan score


2 * (Veracode severity score)

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).

The table below lists how the status update mechanism works in the Veracode SAST connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan

Mechanism (When?)

The asset is archived

- Asset not found on the Connector's last sync

- Asset not seen for X days according to "Last Seen"

The vulnerability instance status changes to "Fixed"

- If the vulnerability no longer appears in the scan findings.

- Vulnerability status on the Connector's side changes to "CLOSED"

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API version: v1 , v2


Use in Vulcan


Assets(Code Projects), Tags


Unique Vulnerabilities



Did this answer your question?