Configure ISM
Your Veracode Internal Scanning Management (ISM) configuration consists of a gateway that is the access point to the Veracode cloud and endpoints, which connect Veracode to your internal applications or REST APIs.
Before you begin:
Before you install an endpoint on a machine, verify that the machine can reach the URLs you want to scan. Open the URLs in a web browser and, if the machine cannot connect to the URLs, ask your IT administrator to enable the connection.
Veracode recommends that you create only one gateway.
To complete this task:
-
From the gear icon menu at the top of the Veracode Platform, select Internal Scanning Management.
-
Select Configure Internal Scanning.
-
Enter the name and description of the gateway. Then, select Next.
noteISM only supports ASCII characters, not UTF-8, for the names and descriptions of gateways and endpoints.
-
Enter the name and description of the endpoint you want to connect to this gateway.
-
Select the platform of the machine running the endpoint. If you do not use Windows or Linux, select Other to perform a manual endpoint installation.
If you select Other, go directly to Manually Install an Endpoint.
-
Select Next.
-
Complete these steps to start the installer:
a. Select Download to download the ZIP file containing the installer.
b. Select Copy in the text box in step 2.3 to copy your endpoint key to your clipboard.
c. Move the downloaded ZIP file to a machine behind your firewall with access to your internal applications or REST APIs.
d. Extract the ZIP file.
e. Open the installer file.
- For Windows machines, the filename is
veracode_ism_install.bat
. - For Linux machines, the filename is
veracode_ism_install.sh
If you have insufficient permissions to create the service, run the file as an administrator. If you are using a Linux machine without a GUI wrapper, Veracode recommends you open the installer with this command:
sudo -s ./veracode_ism_install.sh
- For Windows machines, the filename is
-
After you launch the installer, complete following steps to install the endpoint:
For Linux machines without a GUI wrapper, opening the installer prompts you to provide the information listed in these steps on the command line.
a. Read the terms of use for the endpoint, select the checkbox, and select Next.
b. Verify the installation folder and Java home are correct or select your preferred folders and select Next. If the installer cannot automatically detect the Java home, you must specify it.
c. If you use a proxy, select Manual configuration.
d. If you select Manual configuration:
- Enter your proxy hostname and port number.
- If you want to use the proxy only for communication between the endpoint and gateway:
- Select For gateway connection.
- If you want the proxy to resolve the gateway hostname, which means you need to allow only the gateway hostname, clear the Let endpoint resolve hostname for gateway checkbox. If you do not clear it, you must include the hostname and IP address of the gateway in your allowlist.
- If you want to use the proxy for communication between the endpoint and gateway and between the endpoint and the URLs you scan:
- Select For gateway and URL connections.
- If you want the proxy to resolve the gateway or URL hostnames, which means you need to allow only the hostname for the gateway and the URLs you scan, clear the Let endpoint resolve hostname for gateway or Let endpoint resolve hostname for URLs checkboxes. If you do not clear them, you must include the hostname and IP address of the gateway and URLs in your allowlist.
- If the proxy requires authentication, select Authentication Required and, then, enter your proxy credentials.
e. Select Next.
f. Paste the endpoint key you copied in step 7 and select Next.
If you did not copy the endpoint key, go to the gateway page in the Veracode Platform, select the Actions menu for this endpoint, and select Copy Endpoint Key.
g. When the key validates, select Install.
h. Select Close.
The gateway and endpoint you created now appear on the Internal Scanning Management page.
The gateway may have a status of Initializing for a few minutes after you create it. The endpoint has a status of Pending until you successfully deploy it. When you successfully deploy the endpoint, it has a status of Ready.
Next steps:
If the endpoint fails to connect to the gateway, your organization may need to add the gateway IP address or domain name to your allowlist. The IP address and domain are visible from the Internal Scanning Management page and the gateway page.
You can now create the following Dynamic Analyses for internal scanning: