# Veracode MCP MCP

> Veracode AppSec connects your AI agent directly to your application security data. Instead of clicking through dashboards, you ask conversational questions about flaws, vulnerabilities, and app status across SAST, DAST, and SCA reports.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** appsec, sast, dast, software-composition-analysis, code-security, devsecops

## Description

Your agent gets full read and write access to your Veracode environment, turning complex security reporting into simple conversation. You can ask for a list of all open security issues or check the mitigation status across static, dynamic, and component analyses for any application you track. Need to know what's wrong with one specific line of code? Give it a finding ID, and your agent explains the underlying error type, affected file, and how to fix it.

This isn't just about reading reports; it’s about managing your entire security posture conversationally. If you need to audit who has access or track which applications are running in testing environments, you can ask for a list of users or check available sandboxes. You never have to manually copy findings into a spreadsheet again. The platform that runs this MCP handles all credentials through a zero-trust proxy, meaning your sensitive API keys pass through only when needed and never sit on disk.

## Tools

### create_application
Creates a new container profile within Veracode to start tracking an application.

### delete_application
Permanently removes an existing application profile from the Veracode system.

### get_api_health
Checks and reports on the current connection status of your Veracode API access.

### get_application_details
Pulls a full profile for an application, including its criticality rating and deployment state.

### get_finding_details
Explains a specific vulnerability using a finding ID, covering the error type and fix guidance.

### list_applications
Retrieves a list of all application profiles tracked in your Veracode account.

### list_dynamic_analyses
Lists all configured dynamic security scans that are currently running or set up.

### list_sandboxes
Retrieves a list of testing environments linked to a specific application.

### list_security_findings
Gets an overall, unified security report containing all open findings for one application.

### list_veracode_users
Lists the identity users who are authorized to use Veracode's system.

## Prompt Examples

**Prompt:** 
```
List all applications currently monitored in our Veracode account.
```

**Response:** 
```
I've fetched 3 core tracked applications from your Veracode environment: 
- 'Mobile-Banking-iOS' (GUID: 82a1...)
- 'Legacy-CRM-Core' (GUID: f3b9...)
- 'Auth-Microservice' (GUID: 11c2...)
Would you like me to pull the security finding logs specifically for 'Auth-Microservice'?
```

**Prompt:** 
```
Get the detailed security profile for the application GUID 'f3b9...'.
```

**Response:** 
```
Here is the detailed profile for GUID `f3b9-12aa-99bb`: This corresponds to 'Legacy-CRM-Core'. It currently has a 'Very High' Business Criticality rating. Its compliance policy dictates adherence to 'Veracode Recommended High'. However, its recent automated scan status indicates 'Did Not Pass' due to 12 unmitigated critical severity flaws.
```

**Prompt:** 
```
Explain finding ID '89' from that app and how to fix it.
```

**Response:** 
```
Finding ID '89' points to an Improper Neutralization of Input (CWE-79), better known as Stored Cross-Site Scripting (XSS). It was found in `user_profile.js` at line 144.

**Description:** Externally supplied, untrusted input is reflected directly into browser DOM executing scripts.

**Remediation:** To fix this, encapsulate the rendered variable `userInput` with a context-savvy encoding library like `DOMPurify` before injecting it via `innerHTML`. 

I can write a quick patch for line 144 if you'd like.
```

## Capabilities

### List tracked applications
Retrieves a list of all application profiles Veracode is currently monitoring.

### Get detailed app status
Provides a complete profile for one application, including its risk scores and compliance policy status.

### Find specific security flaws
Pulls precise details on a vulnerability using a finding ID, including the CWE error type and remediation steps.

### Check overall findings
Retrieves an aggregated list of all open security issues for an application across different scan types.

### Manage user accounts
Lists authorized users who have access to the Veracode account, which is useful for auditing roles.

## Use Cases

### The Developer needs a fix for a flaw.
A developer finds an issue and asks their agent to explain finding ID '89'. The agent runs `get_finding_details`, tells them it's Stored XSS, points out the exact file/line number, and suggests wrapping the variable in `DOMPurify`.

### The Security Manager needs an audit.
A CISO asks the agent to list all authorized users using `list_veracode_users`. The agent returns a clean summary of identities and their roles, fulfilling compliance requirements in seconds.

### The DevOps Engineer checks app status for deployment.
Before merging code, the engineer asks to check the risk profile. The agent uses `get_application_details` to confirm that 'Legacy-CRM-Core' has a 'Very High' criticality rating and if any major flaws are unmitigated.

### The Architect needs an app inventory.
An architect asks for all tracked applications. The agent runs `list_applications`, providing the list of GUIDs, letting them know exactly what parts of the business Veracode is watching.

## Benefits

- Stop copying and pasting. Instead of manually listing all open issues, use the `list_security_findings` tool to get an immediate, unified overview of every flaw for a given application.
- Pinpoint fixes instantly. When you have a suspicious finding ID, running `get_finding_details` gives you the CWE type and remediation code right away—no need to open three different vendor docs.
- Audit access without effort. If you need to know who has high-level access, just ask for a list of users using `list_veracode_users`. It summarizes role management data instantly.
- Manage your portfolio in bulk. Use `list_applications` to see everything tracked, and then use `get_application_details` on any GUID to check its business criticality rating before making changes.
- Verify the connection is live. If you're unsure if Veracode is working with your agent, running `get_api_health` confirms the API link is solid.

## How It Works

The bottom line is that you talk to it like talking to a teammate who already read every report for you.

1. Subscribe to this MCP and provide your API credentials.
2. Engage with your AI client by asking a specific security question (e.g., 'List all apps').
3. The agent processes the request, pulls the data, and gives you a human-written summary of the findings.

## Frequently Asked Questions

**How do I use list_security_findings to check an app?**
You ask your agent to run `list_security_findings` for the application GUID you want. The agent gathers all open security issues (SAST, DAST, SCA) and gives you a summary of what's wrong.

**What is the difference between list_applications and get_application_details?**
`list_applications` just gives you a roster of GUIDs for all tracked apps. `get_application_details` takes one specific GUID and pulls its entire profile, like its risk scores and compliance policy.

**Can I use get_finding_details to find the fix?**
Yes. You provide the finding ID, and `get_finding_details` returns more than just the problem; it explains the CWE type and offers specific remediation steps.

**How do I check if my Veracode connection is working?**
Just ask your agent to run `get_api_health`. It confirms that the credentials you provided are active and correctly linked to your account.

**What is the process when I need to use `list_veracode_users`?**
This tool retrieves a list of all authorized Veracode identity users. It's useful for managing Role-Based Access Control (RBAC) and checking who has what permissions within your environment.

**What do I need to know before using `create_application`?**
You must provide the app schema and profile name as a JSON string. This action establishes a brand new Veracode application profile container, setting up monitoring for an unlisted piece of code.

**How does `list_dynamic_analyses` help me understand my scan coverage?**
It returns a list of all configured Dynamic Analysis (DAST) scans. This lets you check the real-time execution boundaries for your scheduled Web Application Security runtime scenarios.

**Should I worry about calling `delete_application`?**
Yes, be careful; this action is irreversible. Using it permanently deletes a Veracode application profile container, so double-check that you don't need the data before running the command.