Integrating Veracode SAST, DAST, and SCA, into CI/CD

What is Veracode?

Veracode is a commercial provider of software security testing tools, based in the cloud, that includes static code analysis, software composition analysis, and dynamic analysis of websites. Veracode are a partner of Uleska, and they provide an API to their online services to facilitate more automation of their testing in CI/CD cycles.

To use Uleska with Veracode, you will need to have your own Veracode licenses. Contact Veracode for a discussion on their services and licenses, or you can contact Uleska (as a Veracode partner) for advice and help obtaining the right licenses for your company.

Security Stage SAST, SCA, DAST (Static Code Analysis, Software Composition Analysis, Dynamic Analysis)
Type Commercial
Languages Most languages are covered (see )



1 You'll need a Git Address and/or URL to scan
2 You'll need a Veracode License


How do I set up Veracode?

You can use the Uleska Platform to runs various types of testing with Veracode and extract results. To configure, the first act is to setup a 'connection' for the Veracode server and API authentication you have created on the Veracode server (see for more details). We recommend you create a new API user specifically for Uleska, which will then give you the flexibility to control what Uleska can and cannot do in regards to API access and testing.

Be aware that the same connection details can be used to run SAST/SCA (static code analysis/software composition analysis) testing through the Veracode platform, as well as DAST testing (dynamic analysis). You will configure the one connection profile for Veracode in the Uleska Platform, and then later configure which type of testing you wish to run at various stages in the pipeline.

  • To set up a 'connection', click on the 'Configuration' tab on the left hand side of the UI. If you do not have a 'Configuration' side, you may not have the role permissions to set this connection up, therefore speak to your administrator.
  • In the Configuration screen, click on the 'Connections' tab, and click on 'Add Connection'
  • This will let you configure different types of connections for various tools. Choose the 'Veracode' option in the top drop down box.
  • Enter the configuration details of the user ID you created in Veracode, and the associated API key:


  • Click Save

  • Now that you have your Veracode connection setup, click on the application you wish to add the tool for, and edit the version (stage) configuration.


  • Depending on the type of testing you wish to perform with Veracode, you will setup the version to either have the information necessary for static analysis , or dynamic analysis.
  • Click 'Save'
  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'Veracode' as a tool.


  • To configure the type of testing to run in this pipeline stage, and other configurations, click on the blue cog to setup. Here you can configure:
    • Application Name (if different from the Uleska configured app name)
    • Gateway Id (if running the Veracode DAST agent internally)
    • Endpoint Id (if running the Veracode DAST agent internally)
    • Authentication Type
    • Run SAST (includes both SAST and SCA scans)
    • Create Application (if necessary within the Veracode system for easy provisioning)
    • Run DAST
  • Click Save.

Now any time you click 'Test Now' using that ToolKit, or make a request over the Uleska API or CLI using that ToolKit, Uleska will start the Veracode scan for SAST/SCA, or DAST (as configured) and extract the subsequent results for the configuration application. Any results added to your vulnerabilities list.