Configure Veracode scans on your pipeline

Yokohama IT Service Management

Release

yokohama

ft:locale

en-US

ft:publication_title

Yokohama IT Service Management

ft:clusterId

itsm

bundleId

itsm

workflow

Technology

Configure Veracode scans on your pipeline

Release version: Yokohama

Updated July 31, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of Configure Veracode scans on your pipeline

This guide explains how ServiceNow customers can integrate Veracode security scans into their CI/CD pipelines across various orchestration tools including Azure DevOps, Jenkins, GitHub Actions, GitLab, and Harness. Integrating Veracode scans allows automatic retrieval of scan results into ServiceNow DevOps Change Velocity, enhancing visibility into application security during development.

Show full answer Show less

Key Configuration Details

General: Veracode scans can be added at any pipeline stage. Scan details are fetched from the relevant stage into ServiceNow.
Azure DevOps & GitHub Actions: Custom action code must be added to the pipeline YAML files. The ServiceNow DevOps Security Results extension or custom action handles the integration.
Jenkins: If a Veracode scan step already exists, ensure waitForScan: true is set to enable scan data retrieval. Otherwise, add a custom pipeline snippet using the snDevOpsSecurityResult step with required attributes.
GitLab: Use a generic Docker container image to add the Veracode scan step or follow GitLab-specific integration instructions.
Harness: Veracode scans are configured exclusively via the generic Docker container image and a custom action step with specified JSON attributes.

Common Attributes for All Integrations

When configuring the Veracode scan step or custom action, the following JSON attributes are required or optional:

scanner (required): The scanning tool name, e.g., "Veracode".
applicationName (required for Veracode): The Veracode application name.
buildVersion (optional): The scan name or build version for Veracode scans.
securityToolId (optional): The sysid of the security tool onboarded in ServiceNow.

Practical Next Steps for Customers

Identify your orchestration tool and pipeline type.
Add or verify the presence of Veracode scan steps in the pipeline, ensuring appropriate parameters and flags (e.g., waitForScan: true in Jenkins) are configured.
Insert the ServiceNow custom action code or extension task as specified for your environment.
Use the generic Docker container image for GitLab and Harness pipelines to standardize scan result retrieval.
Run the pipeline to trigger Veracode scans and automatically pull scan results into ServiceNow DevOps Change Velocity for enhanced security visibility.

Configure Veracode scans on your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines.

You can configure Veracode scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you are using Azure DevOps or GitHub Actions orchestration tools then you need to add the custom action code in your pipeline always. If you are using Jenkins, and your pipeline already has a Veracode security scan step, you do not have to add the custom action code in your pipeline. Ensure that your Veracode security scan step has waitForScan: true. This is required for the system to retrieve the scan information.

If you want to configure Veracode for the GitLab tool, you can either use the generic Docker container image to add the Veracode security step or perform the steps specified in the Integrate security tools with GitLab topic.

For Harness pipelines, you can configure Veracode scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using a generic Docker container image.

Navigate to the step in your pipeline and add the custom action.


Azure DevOps	Navigate to your pipeline .yml file. In the Tasks section on the right side, search for the ServiceNow DevOps Security Results extension task. Enter the ServiceNow endpoint. Enter the Security results attributes as the following. `{ "scanner": "Veracode", "applicationName": "", "buildVersion": "", "securityToolId": "" }` // scanner: Scanning tool and is required e.g. Veracode. // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode. // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode. // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. Select Add to add the custom action code to your pipeline.
Jenkins	Navigate to the Pipeline Syntax from a configured pipeline. Select the snDevOpsSecurityResult step from the Sample Step list, and update the values for the security scan attributes in the step. Select Generate Pipeline Script to create a snippet. You can copy and paste the snippet into the pipeline. `snDevOpsSecurityResult { securityResultAttributes:{"scanner":"Veracode", "applicationName": "", "buildVersion": "", "securityToolId": ""}}` // scanner: Scanning tool and is required e.g. Veracode. // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode. // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode. // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
GitHub Actions	Navigate to your workflow .yml file. In the Marketplace section on the right side, search for the ServiceNow DevOps Security Results custom action. Add the following snippet into your .yml file. SecurityScanResults: needs: build runs-on: ubuntu-latest name: Servicenow Security Scan Results steps: - name: ServiceNow DevOps Security Results uses: ServiceNow/servicenow-devops-security-result@v1.39.0 with: devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }} devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }} instance-url: ${{ secrets.SN_INSTANCE_URL }} tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }} context-github: ${{ toJSON(github) }} job-name: 'Servicenow Security Scan Results' security-result-attributes: '{ "scanner": "Veracode", "applicationName": "", "buildVersion": "", "securityToolId": ""} // scanner: Scanning tool and is required e.g. Veracode. // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode. // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode. // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional. For more information, see GitHub marketplace.
Harness	Run the generic Docker Container Image to use the following script. For more information, see Implement custom actions for pipelines using a generic Docker container image. - stage: name: ServiceNow DevOps Security Result identifier: Security description: "" type: Custom spec: execution: steps: - stepGroup: name: Security identifier: Security steps: - step: type: Run name: ServiceNow DevOps Security Result identifier: ServiceNow_DevOps_Security_Result spec: connectorRef: docker_hub_connector_for_harness image: servicenowdocker/sndevops:5.0.0 shell: Sh command: \|- sndevopscli create securityScan -p "{"pipelineInfo":{ "buildNumber":"<+stage.nodeExecutionId>", "taskExecutionUrl":"<+pipeline.executionUrl>?stage=<+stage.nodeExecutionId>", "orchestrationPipeline":"<+org.identifier>/<+project.identifier>/<+pipeline.name>" }, "securityResultAttributes":{ "scanner":"Veracode", "applicationName":"", "buildVersion":"", "securityToolId":"" } }" envVariables: SNOW_URL: <+variable.SNOW_URL> SNOW_TOOLID: <+variable.SNOW_TOOLID> SNOW_TOKEN: <+variable.SNOW_TOKEN> stepGroupInfra: type: KubernetesDirect spec: connectorRef: kubernates_connector namespace: harness-delegate-ng tags: {}

Run the pipeline to retrieve the security scan results.