Configure Veracode scans on your pipeline

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configure Veracode scans on your pipeline

    This guide explains how to configure Veracode security scans within your CI/CD pipelines across various orchestration tools including Azure DevOps, Jenkins, GitHub Actions, GitLab, and Harness. Integrating Veracode scans into your pipeline stages enables automated security testing with scan results automatically retrieved and reported in ServiceNow DevOps Change Velocity.

    Show full answer Show less

    Key Implementation Details

    • Azure DevOps: Add the ServiceNow DevOps Security Results extension task in your pipeline YAML file. Provide required attributes such as scanner (must be "Veracode"), applicationName (your Veracode app), and optionally buildVersion and securityToolId.
    • Jenkins: Use the Pipeline Syntax to generate a snippet for the snDevOpsSecurityResult step with Veracode-specific attributes. Ensure your existing Veracode scan step uses waitForScan: true to allow retrieval of scan results.
    • GitHub Actions: Incorporate the ServiceNow DevOps Security Results custom action from the GitHub Marketplace into your workflow YAML. Populate secrets for ServiceNow credentials and provide Veracode-specific security result attributes.
    • GitLab: Configure Veracode scans either by using a generic Docker container image or by following dedicated integration steps outlined in the GitLab security tool integration guide.
    • Harness: Use the generic Docker container image method to run a custom action step executing the Veracode scan results submission. Provide JSON-formatted pipeline info and security result attributes.

    Why This Matters

    Integrating Veracode scans directly into your pipeline automates security testing and enhances visibility by feeding scan data into ServiceNow DevOps. This streamlines vulnerability management, facilitates compliance, and helps reduce security risks early in the development lifecycle.

    Expected Outcomes

    • Automated triggering and retrieval of Veracode scan results within pipeline stages.
    • Seamless integration of security findings into ServiceNow DevOps Change Velocity dashboards.
    • Improved security posture through continuous and automated vulnerability assessment.
    • Support for multiple CI/CD tools with consistent configuration patterns tailored to each platform.

    Next Steps for Customers

    • Identify your pipeline orchestration tool and follow the respective integration instructions.
    • Ensure your Veracode application and scan details are correctly specified in the security result attributes.
    • For Azure DevOps and GitHub Actions, always add the custom action code; for Jenkins, verify the waitForScan flag is set to true if a Veracode scan step already exists.
    • Run the pipeline after configuration to confirm successful retrieval of Veracode scan results.

    Configure Veracode scans on your Azure DevOps, Jenkins, GitHub, GitLab, or Harness pipelines.

    You can configure Veracode scans on any stage of the pipeline and the scan details are retrieved from the corresponding stage to DevOps Change Velocity. If you are using Azure DevOps or GitHub Actions orchestration tools then you need to add the custom action code in your pipeline always. If you are using Jenkins, and your pipeline already has a Veracode security scan step, you do not have to add the custom action code in your pipeline. Ensure that your Veracode security scan step has waitForScan: true. This is required for the system to retrieve the scan information.

    If you want to configure Veracode for the GitLab tool, you can either use the generic Docker container image to add the Veracode security step or perform the steps specified in the Integrate security tools with GitLab topic.

    For Harness pipelines, you can configure Veracode scans only through the generic Docker Container Image. For more information, see Implement custom actions for pipelines using generic Docker container image.

    1. Navigate to the step in your pipeline and add the custom action.
      Azure DevOps
      1. Navigate to your pipeline .yml file.
      2. In the Tasks section on the right side, search for the ServiceNow DevOps Security Results extension task.
      3. Enter the ServiceNow endpoint.
      4. Enter the Security results attributes as the following.
        
    {
        "scanner": "Veracode", "applicationName": "", "buildVersion": "", "securityToolId": "" 
    }

        // scanner: Scanning tool and is required e.g. Veracode.

        // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode.

        // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode.

        // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.

      5. Select Add to add the custom action code to your pipeline.
      Jenkins
      1. Navigate to the Pipeline Syntax from a configured pipeline.
      2. Select the snDevOpsSecurityResult step from the Sample Step list, and update the values for the security scan attributes in the step.
      3. Select Generate Pipeline Script to create a snippet. You can copy and paste the snippet into the pipeline.
        snDevOpsSecurityResult { 
securityResultAttributes:{"scanner":"Veracode", "applicationName": "", "buildVersion": "", "securityToolId": ""}}

        // scanner: Scanning tool and is required e.g. Veracode.

        // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode.

        // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode.

        // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.
      GitHub Actions
      1. Navigate to your workflow .yml file.
      2. In the Marketplace section on the right side, search for the ServiceNow DevOps Security Results custom action.
      3. Add the following snippet into your .yml file.
        
    SecurityScanResults:
        needs: build
        runs-on: ubuntu-latest
        name: Servicenow Security Scan Results

    steps:
      - name: ServiceNow DevOps Security Results
        uses: ServiceNow/servicenow-devops-security-result@v1.39.0
        with:
            devops-integration-user-name: ${{ secrets.SN_DEVOPS_USER }}
            devops-integration-user-password: ${{ secrets.SN_DEVOPS_PASSWORD }}
            instance-url: ${{ secrets.SN_INSTANCE_URL }}
            tool-id: ${{ secrets.SN_ORCHESTRATION_TOOL_ID }}
            context-github: ${{ toJSON(github) }}
            job-name: 'Servicenow Security Scan Results'
            security-result-attributes: '{ "scanner": "Veracode", "applicationName": "", "buildVersion": "", "securityToolId": ""}

        // scanner: Scanning tool and is required e.g. Veracode.

        // applicationName: Name of your Veracode application and is required. This attribute is applicable only for Veracode.

        // buildVersion: Veracode Scan name / build version and is optional. This attribute is applicable only for Veracode.

        // securityToolId: Security tool onboarded in ServiceNow (sys_id of the onboarded security tool) and is optional.

      For more information, see GitHub marketplace.
      Harness Run the generic Docker Container Image to use the following script. For more information, see Implement custom actions for pipelines using generic Docker container image.
      - stage:
    name: ServiceNow DevOps Security Result
    identifier: Security
    description: ""
    type: Custom
    spec:
      execution:
        steps:
          - stepGroup:
              name: Security
              identifier: Security
              steps:
                - step:
                    type: Run
                    name: ServiceNow DevOps Security Result
                    identifier: ServiceNow_DevOps_Security_Result
                    spec:
                      connectorRef: docker_hub_connector_for_harness
                      image: servicenowdocker/sndevops:5.0.0
                      shell: Sh
                      command: |-
                        sndevopscli create securityScan -p  

                        "{"pipelineInfo":{
                            "buildNumber":"<+stage.nodeExecutionId>",
                            "taskExecutionUrl":"<+pipeline.executionUrl>?stage=<+stage.nodeExecutionId>", 
                            "orchestrationPipeline":"<+org.identifier>/<+project.identifier>/<+pipeline.name>" 
                          },
                          "securityResultAttributes":{
				"scanner":"Veracode",
				"applicationName":"",
				"buildVersion":"",
				"securityToolId":""
                          }
                        }"
                      envVariables:
                        SNOW_URL: <+variable.SNOW_URL>
                        SNOW_TOOLID: <+variable.SNOW_TOOLID>
                        SNOW_TOKEN: <+variable.SNOW_TOKEN>
              stepGroupInfra:
                type: KubernetesDirect
                spec:
                  connectorRef: kubernates_connector
                  namespace: harness-delegate-ng
    tags: {}
    2. Run the pipeline to retrieve the security scan results.