Configure the Veracode Vulnerability Integration

Australia Security Management

Release

australia

ft:locale

ko-KR

ft:publication_title

Australia Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Configure the Veracode Vulnerability Integration

릴리스 버전: Australia

업데이트 날짜 2026년 03월 12일

소요 시간: 10분

Before you run the integration on your instance, the installation and configuration steps must be completed so the Veracode product properly integrates with Application Vulnerability Response. This application is available as a separate subscription.

시작하기 전에

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.

주:

This process applies only to applications that are downloaded to production instances. If you're downloading applications to non-production or development instances, it's not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.


Setup tasks	Description
Verify that the Vulnerability Response application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install Vulnerability Response.
Verify that the Vulnerability Response Integration with Veracode application is installed and activated.	To verify that this application is activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions your organization has purchased. If the application is not installed and activated see, Install the ServiceNow Vulnerability Response Integration with Veracode.
Verify that you have the required ServiceNow roles for your instance.	The following roles are required for configuration, and verification of expected results: If not already assigned, the System Administrator [admin] installs the app and assigns users to the App-Sec Manager user group. The App-Sec Manager oversees configuration and verifies expected results.
For the Veracode Application Vulnerability integration, have your API id and API key ready.	Contact Veracode to obtain theAPI id and API key. See Preparing for the Veracode Vulnerability Integration. Starting with version 4.0, if you are using the Veracode Vulnerability Integration, the penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. These findings are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test requests in Application Vulnerability Response, see Configure penetration testing.

Role required: App-Sec Manager user group

프로시저

Navigate to All > Veracode Vulnerability Integration > Configuration.
Fill in the API ID and API Key fields.

Choose your testing results.

옵션	설명
Version 4.0:	Select DAST or SAST data types to include in the import. 주: You can choose one or the other, or both, but you must select at least one. Select SCA to import Software Composition Analysis (SCA) vulnerabilities. Select Include Manual to import manual penetration testing results from Veracode. AVITs are created for these results.
Version 3.0	Select DAST or SAST data types to include in the import. 주: You can choose one or the other, or both, but you must select at least one.
Version 1.0:	Dynamic Application Security testing results are selected, by default.

Add the Veracode Severity level to filter your imported data.
This value is imported from Veracode. You can add multiple values to the field. If populated, the import only gathers data that matches the Severity levels you've added.

Save and validate your choices.

옵션	설명
Version 3.0:	Click Save and Test Credentials. 주: Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.
Version 1.0:	Click Save. Verify successful configuration by clicking Test Credentials. 주: Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.

옵션

설명

Version 3.0:

Click Save and Test Credentials.

주:

Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.

Version 1.0:

Click Save.

Verify successful configuration by clicking Test Credentials.

주:

Configuration is successfully completed unless an error message is displayed. If an error message is displayed during the configuration, reenter your data.

Select how you want to manage exceptions and false positives for AVITs upon import.

Options to manage AVITs upon import with the ServiceNow Exception management and False positive workflows are activated by default. The workflows are triggered based on how the Source states on the AVITs are mapped in your instance. For an example use case, see Managing state mapping for deferrals and false positives in Application Vulnerability Response.


Activated	Manage exceptions in ServiceNow Leave this option activated if you want to triage imported AVITs marked for the Deferred state. AVITs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open. You Request an exception from the AVI record. Manage false positives in ServiceNow Leave this option activated if you want to triage imported AVITs with Source states marked as False Positive or Potential False Positive. AVITs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open. You request a False positive from the AVIT record.
Deactivated	Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner. These AVITs are mapped to the Target and Target reason states as they are imported but are not triaged by the exception and false positive workflows. The Request exception and False Positive actions are not visible on AVITs.

Activated

Manage exceptions in ServiceNow

Leave this option activated if you want to triage imported AVITs marked for the Deferred state.

AVITs with Source states that normally are mapped to a Deferred state in your instance are instead mapped to Open.

You Request an exception from the AVI record.

Manage false positives in ServiceNow

Leave this option activated if you want to triage imported AVITs with Source states marked as False Positive or Potential False Positive.

AVITs with these Source states that normally are mapped to a Closed state in your instance are mapped to Open.

You request a False positive from the AVIT record.

Deactivated

Deactivate one or both check boxes if you want to preserve the Source states imported from your scanner.

These AVITs are mapped to the Target and Target reason states as they are imported but are not triaged by the exception and false positive workflows. The Request exception and False Positive actions are not visible on AVITs.

Starting with v4.3, choose or verify settings for the following parameters.

Parameter	Description
API region	Select a region from the list.
API timeout	The default is 30K. You might prefer to leave this field in its default setting.
Include SBOM vulnerabilities	Select to include any vulnerabilities that are ingested by the Veracode integrations in the Veracode SBOM files you upload. Leave the field cleared so Veracode vulnerabilities are not parsed on Veracode SBOM files.

Parameter

Description

API region

Select a region from the list.

API timeout

The default is 30K. You might prefer to leave this field in its default setting.

Include SBOM vulnerabilities

Select to include any vulnerabilities that are ingested by the Veracode integrations in the Veracode SBOM files you upload.

Leave the field cleared so Veracode vulnerabilities are not parsed on Veracode SBOM files.

Select Save and Test Credentials.

다음에 수행할 작업

If your environment requires domain-separated imports, see Create domain-separated imports for an integration.

On initial installation, refer to Configure Application Vulnerability Response for further instructions.

After initial installation, for modifications refer to Veracode Vulnerability Integration modifications and activities.