Applications
Collects application profiles from Veracode, providing comprehensive visibility into applications, policy compliance status, scan history, and team assignments within your Veracode organization.
Sync Type: Full Sync
Description
The Veracode Applications input connector retrieves comprehensive application profile data from your Veracode instance. This connector captures the complete inventory of applications along with their security posture, including policy compliance status, assigned security policies, scan history, team assignments, and application metadata. The input uses a full sync approach with intelligent change tracking to optimize data collection on subsequent runs.
Key features include:
- Full snapshot of all application profiles on each run
- Incremental efficiency through change tracking by application GUID
- Support for both Veracode US and EU regional endpoints
- Configurable scheduling using cron expressions
Requirements
Before connecting Monad to Veracode, you need:
- An active Veracode account with API access enabled
- Veracode API credentials (API ID and API Key) with appropriate permissions
- A user account with Creator or Security Lead role (required to generate and access API credentials)
- Network access to the Veracode API endpoint (US or EU region)
Setup Instructions
1. Generate API Credentials
-
Log in to Veracode Platform:
- Navigate to Veracode Platform
- Sign in with your credentials
-
Access API Credentials:
- In the top right corner, click on your User Account (profile icon)
- Select API Credentials from the dropdown menu
- Click Generate API Credentials button
-
Generate and Store Credentials:
- The system will generate an API ID and API Key (Secret)
- Important: Copy and securely store both credentials immediately. The API Key will not be displayed again and cannot be recovered.
- Store these credentials in a secure location, never commit them to version control.
2. Determine Your Regional Endpoint
Choose the appropriate region for your Veracode instance:
- US Region: Use if your Veracode account is on the US infrastructure
- Endpoint:
api.veracode.com
- Endpoint:
- EU Region: Use if your Veracode account is on the EU infrastructure
- Endpoint:
api.veracode.eu
- Endpoint:
You can determine your region by checking your Veracode account settings or by examining which URL you use to access the Veracode Platform.
- Configure the Connector:
- Use the API ID, API Key, and region selection in the configuration settings for the connector.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Region | string | Yes | Veracode API region. Must be either "US" (api.veracode.com) or "EU" (api.veracode.eu). |
| Cron | string | Yes | Cron expression to schedule the connector runs. Defines how frequently application profiles are synchronized from Veracode. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| API Key ID | string | Yes | The Veracode API ID used for HMAC-SHA256 authentication. Generated from Veracode Platform User Account settings. |
| API Key Secret | string | Yes | The Veracode API Secret/Key used for HMAC-SHA256 authentication. Generated from Veracode Platform User Account settings. |
Collection Behavior
The input follows a full sync pattern with intelligent change tracking:
- First run: Collects all available application profiles from your Veracode instance
- Subsequent runs: Collects all applications but only processes those with changed data (based on the
modifiedtimestamp) - Change tracking: Uses the application GUID and modification timestamp to track processed applications
- Pagination: Automatically handles API pagination (page size: 500 applications)
- Fault tolerance: Checkpoints are recorded immediately after each application is processed, ensuring already-processed applications are skipped if a run fails mid-way
Authentication Details
The connector uses HMAC-SHA256 signing for authentication with the Veracode API:
- Authentication Method: Custom HMAC-SHA256 signing scheme
- Credentials: API ID and API Secret
- Expiration: API credentials expire after one year from generation
- Regeneration: Generate new credentials before expiration in Veracode Platform
Best Practices
- API Credentials Security: Keep your API ID and Secret secure. Never commit credentials to version control.
- Credential Rotation: Regenerate API credentials annually before expiration.
- Cron Scheduling: Use an appropriate cron expression to balance data freshness and API usage. For example:
0 */6 * * *- Run every 6 hours0 0 * * *- Run once daily at midnight0 2 * * 0- Run weekly on Sunday at 2 AM
- Regional Consistency: Ensure you select the correct region (US or EU) matching your Veracode account location.
Rate Limits
The Veracode API enforces rate limiting to ensure fair usage across all clients:
| Scope | Limit | Window | Notes |
|---|---|---|---|
| API | 500 requests | Minute | General API rate limit across all endpoints |
| Connector | ~8 requests/second | N/A | Connector implementation rate limiting to respect API limits |
Source: Veracode API Documentation
Related Articles
Sample Record
{
"guid": "12345678-1234-1234-1234-123456789012",
"id": 45678,
"profile": {
"name": "WebApp-Frontend",
"description": "Core application for customer-facing workflows",
"business_criticality": "VERY_HIGH",
"policy": {
"guid": "87654321-4321-4321-4321-210987654321",
"name": "Veracode Recommended Very High",
"compliance_status": "PASSED"
},
"tags": "production,critical",
"teams": [
{
"team_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
"team_name": "Security Team"
}
]
},
"scans": [
{
"scan_type": "STATIC",
"last_occurrence": "2024-11-13T15:30:45.123Z"
},
{
"scan_type": "SCA",
"last_occurrence": "2024-11-12T14:20:30.456Z"
}
],
"last_completed_scan_date": "2024-11-13T15:30:45.123Z",
"created": "2024-06-01T10:00:00.000Z",
"modified": "2024-11-13T15:30:45.123Z"
}