Veracode integration with DevOps Change Velocity

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Veracode integration with DevOps Change Velocity

    This integration enables ServiceNow customers to connect their Veracode instance with DevOps Change Velocity, allowing retrieval and analysis of security scan results from CI/CD pipelines. Supported pipeline tools include GitHub Actions, Jenkins, Azure DevOps, GitLab, and Harness. The integration helps determine code vulnerabilities by incorporating Veracode scan data directly into ServiceNow workflows.

    Show full answer Show less

    Key Features

    • Pipeline Support: Veracode scans configured in common CI/CD tools can be integrated, with specific setup requirements for each tool:
      • Azure DevOps and GitHub Actions require adding custom action code in the pipeline.
      • Jenkins pipelines with existing Veracode scans must have waitForScan: true to enable scan data retrieval, without adding extra custom code.
      • GitLab integration can use a generic Docker container image or follow specific GitLab security tool integration steps.
      • Harness pipelines support Veracode scans only through the generic Docker container image method.
    • Scan Results Visibility: Security scan results are accessible within ServiceNow in multiple locations:
      • Related list on Change Requests
      • Task Execution records of pipelines
      • Pipeline UI within ServiceNow
    • Security Automation: Retrieved Veracode scan results can be utilized to define change policies and automate change management decisions based on vulnerability data.

    Prerequisites and Setup

    • Install the DevOps Vulnerability Integrations (sndevopsvulints) and Vulnerability Response Integration with Veracode (snvulveracode) plugins in your ServiceNow instance.
    • Ensure Veracode API credentials have proper roles for uploading and scanning results.
    • Note the role assignments that come with plugin installation, such as snvul.appsecmanager and snvulveracode.configureintegration roles added to the DevOps Tool Owner role.

    Onboarding Options

    ServiceNow provides multiple methods to onboard your Veracode instance for integration:

    • Workspace Playbook: A guided experience to connect and configure Veracode within DevOps Change Velocity.
    • Service Catalog: Use the ServiceNow Service Catalog for integration setup.
    • Classic Experience: Connect your Veracode instance via the traditional interface to retrieve scan results.

    Practical Benefits for ServiceNow Customers

    By integrating Veracode with DevOps Change Velocity, customers gain comprehensive visibility into security vulnerabilities directly within change management workflows. This integration streamlines vulnerability tracking, enhances policy enforcement, and supports automation to reduce risk during software releases, improving overall DevOps security posture.

    Connect to your Veracode instance that is integrated with your CI/CD pipelines to retrieve security scan results. This helps you determine how vulnerable your code is.

    Veracode integration overview

    Veracode scans that are configured on GitHub Actions, Jenkins, Azure DevOps, GitLab, and Harness pipelines are supported in DevOps Change Velocity.

    Ensure that your Veracode credentials have the following API roles.
    • Upload and Scan
    • Results
    For more information, see Veracode documentation.

    You can configure Veracode scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you’re using Azure DevOps or GitHub Actions orchestration tools, then you must add the custom action code in your pipeline always. If you’re using Jenkins, and your pipeline already has a Veracode security scan step, you don’t have to add the custom action code in your pipeline. Ensure that your Veracode security scan step has waitForScan: true. This is required for the system to retrieve the scan information.

    If you want to configure Veracode for the GitLab tool, you can either use the generic Docker container image to add the Veracode security step or perform the steps specified in the Integrate security tools with GitLab topic.

    For Harness pipelines, you can configure Veracode scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using a generic Docker container image.

    You can view the security scan results either in the related list of a Change Request, or the Task Execution of the pipeline, or in the Pipeline UI in your ServiceNow instance. You can also use security results in defining change policies and conditions for change automation.

    Get started

    You must install the DevOps Vulnerability Integrations (sn_devops_vul_ints) and Vulnerability Response Integration with Veracode (sn_vul_veracode) plugins before connecting your Veracode instance to ServiceNow. For more information on activating a plugin, see Install a ServiceNow Store application.
    Note:
    • The sn_vul.app_sec_manager role is added to the DevOps Tool Owner [sn_devops.tool_owner] role when the DevOps Vulnerability Integrations plugin (sn_devops_vul_ints) is installed.
    • The sn_vul_veracode.configure_integration role is added to the DevOps Tool Owner [sn_devops.tool_owner] role when the Vulnerability Response Integration with Veracode plugin (sn_vul_veracode) is installed.

    For more information on the scan results captured in ServiceNow, see Security scan results.

    Use one of the following options to onboard Veracode. For a guided experience, use the workspace to onboard a tool. Alternatively, you can use the Service Catalog or Classic experience.