Veracode - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-10
Category
Administrator Guide

You can ingest SAST findings directly from Veracode into Cortex Cloud Application Security. This allows you to use Cortex Cloud Application Security's analysis and visualization tools to identify critical vulnerabilities, prioritize remediation efforts, and improve your application code security.

Veracode supports Cyclonedx, json and table output formats.

Prerequisite

  • Permissions: The following user permissions are required:

    • Cortex Cloud: Instance Admin, AppSec Admin or GRBAC permissions. For more information on AppSec Admin permissions, refer to Code Security user roles and permissionsCode Security user roles and permissions

    • Veracode: At minimum, Reviewer permissions are required

  • Ensure that you have a connected version control system (VCS) system and repositories

  • Generate and copy a Veracode access key. The access key includes a key ID and secret

Onboarding steps

  2. Search for and hover over Veracode and click Add, or Add Another Instance if an instance is already onboarded.

  3. On the Configure Integration step of the integration wizard:

    1. Fill in the provided fields:

      • Enter the Veracode key ID and secret from step 1b into their respective fields

      • Select your Veracode region from the Region dropdown

    2. Click Authorize.

      The integrationSelect Applications step of the integration wizard is displayed, including a list of Veracode applications automatically mapped to Cortex Cloud Application Security repositories.

  4. Select an option, and click Save.

    • Select Automatically map future Veracode applications to automatically map all future applications to Cortex Cloud Application Security repositories

    • Manually map Veracode applications to Cortex Cloud Application Security repositories: Click on a Cortex Cloud Application Security repository and select the required repository

      Note

      Only mapped applications will be ingested.

      • All current applications

      • All current and future applications

        Note

        This is the recommended option to ensure complete coverage and successful operation of all features.

      • Only selected applications, and then select the applications from the menu

    2. Click Next.

  5. On the Map to Repositories step of the wizard:

    1. Select an option:

      • Accept the displayed mapping as detected by Cortex Cloud Application Security . This does not require any action on your part

      • Manually configure mapping if Cortex Cloud Application Security could not match a project to a repository: Select Set in the Cortex Cloud Application Security Repository column, and select a repository from the list that is displayed

      • Reject mapping: Check the Don’t map any applications box

      • Manually modify mapping: Click Replace next to the existing mapped Cortex Cloud repository. This will open an option to select a different repository from the displayed list, allowing you to update the mapping

      Note

      • Mapping establishes relationships between Veracode projects and Cortex Cloud Application Security code repositories, simplifying access management and enabling risk analysis at the repository level, including displaying findings on the tenant

      • Only mapped projects will be ingested

    2. Click Next.

  6. Select Done on the Status step of the wizard to complete the integration, initiating an automatic ingestion of data from the integrated Veracode projects.

    Note

    Verify that the Connector Created Successfully message is displayed on the page.

  7. Verify integration and confirm that the your integrated Veracode instance has a status of Connected.

    1. On the Data Sources & Integrations page, search for Veracode.

    2. Hover over and select the resulting entry.

    3. Locate and verify that the status of your Veracode instance is Connected.

Limitations

  • Currently, Veracode SAST ingestion supports Veracode periodic and CLI scans. Pull Request scans and other types are not supported

  • History, deduplication and DevEx features such as PR comments, IDE, CLI and enforcement are not supported

Manage data source integrations

Manage integrations to align with evolving requirements and ensure they remain current.

  1. Navigate to SettingsData Sources & Integrations and use the Vendor filter to located the required integration.

  2. Select your vendor from the list.

    The integrated instances for the selected vendor are displayed.

  3. Right-click on an instance and select an option:

    • Edit instance: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide

    • Delete instance: When confirmed, deletes the instance, including data from previous scans

    • Copy entire row – Copies all column values for the selected row to the clipboard.

View SAST code weaknesses generated from ingested Veracode findings

You can view SAST code weaknesses generated from ingested Veracode findings:

  • On the Code Weaknesses page under Cortex Cloud Application Security Issues

  • Under the Code Weaknesses tab of the Repositories assets page

For more information on SAST code weaknesses, refer to SAST code weaknesses (CWEs).SAST code weaknesses (CWEs)