# Veracode MCP

> Veracode connects your AI agent directly into your AppSec ecosystem. You stop clicking through dashboards and start asking questions about code security, vulnerabilities, and application risk profiles conversationally. Get a unified view of flaws across SAST, DAST, and SCA tools instantly.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** appsec, sast, dast, software-composition-analysis, code-security, devsecops

## Description

You can give your AI client deep read and write access to your Veracode environment, moving app security management out of the console and into natural conversation. Instead of logging in and hunting through multiple tabs—one for component analysis, one for dynamic scans, another for static flaws—you simply ask about a specific application or vulnerability type. For instance, you can request a summary listing all open findings across Static, Dynamic, and Component analytics right away. If you spot an issue, you don't just get a vague ID; the agent pulls up the underlying CWE error, affected code strings, and even remediation steps for you. This capability, now available through Vinkius, lets your AI act like a dedicated security engineer sitting next to you. You can manage entire application portfolios by creating new profiles or checking general health status without ever touching a settings menu.

## Tools

### create_application
Creates a new Veracode profile container using the provided app schema and name.

### delete_application
Permanently removes a specified application from the Veracode ecosystem. This action cannot be undone.

### get_api_health
Checks the current operational status and connectivity health of your Veracode account.

### get_application_details
Retrieves a detailed profile, including risk scores, business criticality rating, and policy compliance for one app.

### get_finding_details
Gets precise technical details on a vulnerability, explaining the type, affected code file, path, and fix guidance.

### list_applications
Returns a comprehensive list of all Veracode AppSec Applications currently tracked in your account.

### list_dynamic_analyses
Lists all configured Dynamic Analysis (DAST) scans that are set up for your applications.

### list_security_findings
Retrieves a unified summary of security findings across an entire application's monitored scope.

### list_sandboxes
Lists every available testing sandbox that is linked to a specific application profile.

### list_veracode_users
Shows the list of authorized identity users who have access and roles within Veracode.

## Prompt Examples

**Prompt:** 
```
List all applications currently monitored in our Veracode account.
```

**Response:** 
```
I've fetched 3 core tracked applications from your Veracode environment: 
- 'Mobile-Banking-iOS' (GUID: 82a1...)
- 'Legacy-CRM-Core' (GUID: f3b9...)
- 'Auth-Microservice' (GUID: 11c2...)
Would you like me to pull the security finding logs specifically for 'Auth-Microservice'?
```

**Prompt:** 
```
Get the detailed security profile for the application GUID 'f3b9...'.
```

**Response:** 
```
Here is the detailed profile for GUID `f3b9-12aa-99bb`: This corresponds to 'Legacy-CRM-Core'. It currently has a 'Very High' Business Criticality rating. Its compliance policy dictates adherence to 'Veracode Recommended High'. However, its recent automated scan status indicates 'Did Not Pass' due to 12 unmitigated critical severity flaws.
```

**Prompt:** 
```
Explain finding ID '89' from that app and how to fix it.
```

**Response:** 
```
Finding ID '89' points to an Improper Neutralization of Input (CWE-79), better known as Stored Cross-Site Scripting (XSS). It was found in `user_profile.js` at line 144.

**Description:** Externally supplied, untrusted input is reflected directly into browser DOM executing scripts.

**Remediation:** To fix this, encapsulate the rendered variable `userInput` with a context-savvy encoding library like `DOMPurify` before injecting it via `innerHTML`. 

I can write a quick patch for line 144 if you'd like.
```

## Capabilities

### Manage Application Profiles
List all tracked applications, create new ones before code commits, and retrieve detailed profile information like business criticality and deployment state.

### Trace Specific Vulnerabilities
Retrieve a unified list of security flaws across an application and get deep details on specific findings, including the CWE error and necessary fixes.

### Review Scan Statuses
List configured Dynamic Analysis scans or poll for real-time execution bounds of scheduled Web Application Security tests.

### Identify Authorized Users
Audit the system by listing all users with Veracode access to manage roles and permissions.

## Use Cases

### Auditing App Risk Across the Board
A CISO needs to report on application risk before a board meeting. They ask their agent: 'List all applications and tell me which ones are marked as Very High business criticality.' The MCP uses `list_applications` followed by `get_application_details` for every result, giving them a single, summarized list of high-risk assets.

### Pinpointing the Root Cause of a Flaw
A developer sees an error ID and needs to fix it fast. They ask: 'What does finding ID 89 mean, and how do I patch it?' The agent calls `get_finding_details`, returning the CWE type, the exact file/line number, and a full remediation tutorial.

### Reviewing App Deployment Readiness
A DevSecOps engineer needs to know if their new microservice is ready for production. They ask: 'What's the current security status of the Auth-Microservice?' The agent calls `list_security_findings` and summarizes any open issues across all three scan types.

### Managing User Access
A security manager needs to verify who has admin rights. They ask: 'Who are the authorized users in Veracode?' The agent calls `list_veracode_users` and presents a clean, readable list of all active accounts.

## Benefits

- Get an immediate, unified view of all open security issues by asking the agent to list findings across SAST, DAST, and SCA tools. You skip opening ten different dashboards just to get a summary.
- Drill down into flaws with `get_finding_details`. Instead of reading vague error codes, you immediately get an explanation of the underlying CWE error, affected code strings, and automated remediation steps.
- Manage your entire portfolio easily. Use `list_applications` and then `get_application_details` to check a project's risk score, business criticality rating, or compliance policy status in one chat session.
- Accelerate the development cycle by letting your agent read flaws directly from reports when you’re coding. You can use this capability within Cursor or other IDEs.
- Keep an eye on environment readiness. The MCP lets you list sandboxes and poll for dynamic scan execution bounds, ensuring your testing environments are actually running what they should be.

## How It Works

The bottom line is that your AI agent translates complex security APIs into simple chat commands.

1. Subscribe to this MCP and securely provide your dual Veracode API ID and API Secret pair.
2. Connect your preferred AI client (Claude, Cursor, Windsurf, etc.) to the Vinkius catalog.
3. Engage directly with your agent by querying security questions—for example, asking to list all apps or explain a specific finding.

## Frequently Asked Questions

**How do I list all the applications monitored in Veracode using the Veracode MCP?**
You use the `list_applications` tool. This command pulls a full list of every AppSec Application currently tracked, giving you the GUIDs you need for further lookups.

**Can I get detailed information about a specific finding using Veracode MCP?**
Yes, use `get_finding_details`. You just give it the flaw ID, and the agent returns the vulnerability type (CWE), affected code, severity rating, and remediation guidance.

**What is the difference between listing applications and getting application details with Veracode MCP?**
`list_applications` gives you a simple list of names and GUIDs. `get_application_details` takes one of those GUIDs and returns deep metadata, like its business criticality rating or compliance policy.

**If I want to delete an app profile, which tool do I use with the Veracode MCP?**
You use `delete_application`. Be warned, this action is irreversible, so make sure you know what you're deleting before confirming.

**How can I check if my API connection to Veracode works with the Veracode MCP?**
Run `get_api_health`. This tool checks the current status of your connection and confirms that the necessary credentials are valid for use.