Veracode Vulnerability Integration

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Veracode Vulnerability Integration

    The Veracode Vulnerability Integration for ServiceNow enables customers to import and synchronize security testing data from Veracode's Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Software Composition Analysis (SCA), and manual scanner results. This integration enriches ServiceNow’s Application Vulnerability Response by providing comprehensive vulnerability details, including Software Bill of Materials (SBOM) data, to help prioritize and remediate application security flaws effectively.

    Show full answer Show less

    Key Features

    • Data Import and Synchronization: Automatically imports vulnerability data daily via scheduled jobs, ensuring your instance stays updated with Veracode scan results.
    • Support for Multiple Vulnerability Types: Includes DAST, SAST, SCA, and manual penetration testing results, with support for SBOM files in CycloneDX and SPDX formats starting from version 4.2.
    • Multiple Integration Components: Various integrations handle project linking, application vulnerability data (via JSON or deprecated XML APIs), scan summaries, CWE data, and categories, allowing flexible data ingestion and enrichment.
    • Enhanced Visibility within ServiceNow: Access detailed vulnerability information such as HTTP request/response data, solution recommendations, and exploitability status directly from Application Vulnerable Item records and Vulnerability Response workspaces.
    • Role-Based Configuration and Usage: Installed by system administrators and configured by App-Sec Managers, ensuring proper access and control within your organization.
    • Compatibility and Upgrade Guidance: Customers planning to upgrade to versions compatible with Unified Security Exposure Management (USEM) should select version 30.x or higher; others should stay below 30.x.

    Practical Benefits for ServiceNow Customers

    • Streamlined Vulnerability Management: Scheduled integrations automate vulnerability data ingestion, reducing manual effort and improving data accuracy.
    • Improved Risk Prioritization: Access to detailed Veracode findings and CWE information enables better assessment of vulnerability impact and prioritization of remediation.
    • Comprehensive Software Security Insight: Integration of SBOM and SCA data helps identify weaknesses in software dependencies, supporting proactive security measures.
    • Seamless Data Enrichment: Imported Veracode data enhances existing vulnerability records, providing richer context for security and development teams.
    • Flexible API Usage: JSON-based APIs are preferred and provide more complete data; XML-based APIs are deprecated but still available for backward compatibility.

    Using and Managing the Integration

    To view and manage Veracode integrations, navigate to All > Veracode Vulnerability Integration > Integrations in ServiceNow. Scheduled jobs run automatically but can be triggered manually if needed. Integration run status and reports are available for monitoring performance and troubleshooting.

    Ensure the appropriate user roles are assigned for installation and configuration. The default run-as user VR.System should not be changed to maintain integration stability.

    The Vulnerability Response Integration with Veracode application uses data imported from the Veracode product to help you determine the impact and priority of flaws in your code.

    Veracode Vulnerability Integration

    The Veracode product collects Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and manual scanner data and makes that data available to the ServiceNow AI Platform®. It easily integrates with the Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

    Starting with v19.0 of Vulnerability Response, you can import Software Composition Analysis (SCA) vulnerabilities and Software Bill of Materials (SBOM) vulnerability data to help you identify weaknesses in your software applications. For more information, see Exploring Software Bill of Materials.

    A shared API ingests DAST, SAST, SCA data and manual penetration testing results.

    There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

    Every day, scheduled jobs invoke the integrations automatically in the order they are listed. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

    Get more details from Veracode

    Starting with v4.2, select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.

    • HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
    • Solution recommendations from Veracode are displayed on the Findings related list.
    • HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
    • The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.

    Available versions

    Release version Release Notes
    If you intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version starting with 30.x when installing or upgrading. Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes
    If you do not intend to upgrade to a version that is compatible with Unified Security Exposure Management (USEM), please select a version below 30.x when installing or upgrading.

    User group and roles

    The Veracode Vulnerability Integration is installed by a system administrator [admin] and configured by a member of the App-Sec Manager group. See Application Vulnerability Response user groups and roles for more information.

    Veracode Vulnerability Integration

    To view the Veracode vulnerability integrations, navigate to All > Veracode Vulnerability Integration > Integrations.

    The following integrations are included in the base system.

    Table 1. Veracode Vulnerability Integration
    Integration Description
    Beginning with v4.1: Veracode Link projects Integration This integration is activated by default. Retrieves all associated projects for each application from Veracode.
    Applications can have multiple projects in the Veracode application. Imported data from this integration is displayed on the following records:
    • Last SCA Scan Date, App Creation Date, and App Update Date are listed on records in Discovered Applications.
    • On Application Vulnerability Scan Summary records and application vulnerable items (AVITs), the Source SDLC status (Software Development Life Cycle) is displayed.
    • Source exploitability is displayed on application vulnerable item (AVI) records.
    Veracode Application List Integration (JSON) This integration is inactive by default. Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data.

    Retrieves scan records from Veracode via a JSON-based API.
    Veracode Application List Integration (XML) This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves Veracode application scanner data (vulnerabilities, metadata) and enriches your application data. This integration is set to run daily at 00:00:00.
    Note:
    A JSON-based API from Veracode is used to retrieve the list of applications. This API imports the ‘last policy compliance check date’ for these applications, signifying when these applications were last scanned by Veracode.
    Veracode Software Bill of Materials (SBOM) Integration
    Version 4.3 of the Veracode Vulnerability Integration includes the following enhancements with Veracode SBOM files:
    • If you have installed SBOM Response, you have the option to include vulnerabilities found by Veracode for the SBOM files you upload.
    • Veracode is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the Veracode SBOM files.

    This integration is activated by default. Beginning with v4.2, imports Software Bill of Materials files in CycloneDX and SPDX formats generated by Veracode and queues them for parsing in your instance. You must have the Software Bill of Materials applications installed to import this data and view it.
    Veracode Scan Summary Integration (JSON)

    This integration is inactive by default. Retrieves scan records from Veracode via a JSON-based API. This integration replaces the XML-based API integration. It is chained and follows the Veracode Application List Integration when activated.
    Veracode Scan Summary (XML)

    This integration is inactive by default. The XML-based version of this integration has been deactivated (deprecated). Retrieves scan records from Veracode. This integration is chained and follows the Veracode Application List Integration when activated.

    Note:
    Automatically follows the Veracode Application List integration when it is activated. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
    Veracode Application Vulnerable Item JSON Integration

    Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations.

    This integration is inactive by default. Retrieves scan results with more vulnerability data than the XML-based integration from Veracode. It inserts AVIs and enriches your third-party vulnerability data.
    Veracode Application Vulnerable Item Integration (XML)

    Starting with v4.2, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integrations.

    This integration is inactive by default. Retrieves scan results from Veracode, inserts Application Vulnerable Items (AVITs) and enriches your third-party vulnerability data. By default, if the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

    This integration is chained and follows the Veracode Scan Summary integration when activated. The XML-based API is deprecated for the Veracode Scan Summary JSON integration.

    Note:
    Automatically follows the Veracode Scan Summary integration. With the ‘Last policy compliance check date’ for the applications from Veracode, this integration retrieves data only for the applications that were scanned after the ‘delta_start_time’ of this integration.
    Veracode Categories Integration This integration is inactive by default. Retrieves enhanced Categories data from Veracode.
    Veracode CWE Integration

    This integration is activated by default. Retrieves Veracode - specific Common Weakness Enumeration (CWE) data for threat information and remediation recommendations. These data are populated and updated on Application Vulnerability Entry records.

    This CWE integration operates independently from the scheduled job for the CWE Comprehensive 2000 Integration you activate for the Vulnerability Response application.

    Your data is not duplicated if you have the Veracode CWE Integration and the CWE Comprehensive 2000 Integration activated.
    Veracode DevOps Integration This integration is inactive by default. The integration is viewable on the Application Vulnerability Integrations list in Application Vulnerability Response. If you have a DevOps Change Velocity license, this feature is structured so that DevOps users do not need a SecOps license to view summary details for third-party vulnerability scans. There is no impact or change to Application Vulnerability Response.

    For integration run statuses see, View the Veracode Application Vulnerability Integration import run status.

    To view data in third-party vulnerabilities, see View vulnerability libraries.