Import Flaws into Azure DevOps

Ticketing Systems

You can add the Veracode Flaw Importer task to your Azure DevOps and Team Foundation Server (TFS) build pipelines. The task uses the Veracode Azure DevOps Extension to automate the import of flaws from Veracode Static Analysis in your Software Development Life Cycle.

Before you can import flaws into Azure DevOps, you must meet these prerequisites:
  • Ensure these projects are in the same Azure DevOps organization or TFS team project collection:
    • The project to which the running release or build job belongs, where the Flaw Importer task is running
    • The project to which you want to import the flaws
  • You have installed the Veracode Azure DevOps Extension.
  • You have generated Veracode API credentials. If your credentials contain variables, you must start each variable with a $ and wrap the variable value in parentheses. For example, you enter the id variable as $(Id).
The Veracode Flaw Importer task supports generating work items based on the Agile, Scrum, and CMMI process templates in Azure DevOps. You can customize the default fields in the process templates, such as changing the state names to match the names of your actual states and their transitions.
Note: The Flaw Importer task does not support new, required custom fields. If you add new, required custom fields to a process template, the import task fails.

You can also use YAML to integrate the Veracode Flaw Importer task.

To add the Veracode Flaw Importer task in an Azure DevOps or TFS build pipeline:

  1. In your Azure DevOps or TFS project, go to your build definition.
  2. Add Veracode Flaw Importer as a build task.
  3. Click the Import flaws task to open the Veracode Flaw Importer window.


  4. Enter this information in the Veracode Flaw Importer window:
    1. Connection Details:
      1. Select a connection source for connecting to Veracode:
        • Service Connection: select an existing service connection that uses your Veracode API credentials or click New to create a new service connection. For a new connection, in the New service connection window, by default, the Server URL is populated with the URL for accessing Veracode. Enter your Veracode API credentials, a name for the service connection and, then, click Save. The new connection is selected in the Select Service Connection dropdown menu.
        • Credentials: enter your Veracode API credentials. If you use variables for your credentials, you must start each variable with a $ and wrap the variable value in parentheses. For example, for a variable named id, enter $(Id).
    2. Flaw Source: enter the application name and sandbox name, if applicable, for which you want to import flaws from Veracode.
    3. Work Item Settings:
      • Import: select the type of flaws you want to import:
        • All Flaws, including mitigated and remediated flaws, from all scans. During the import process, the extension changes the state of the work items for all mitigated and remediated flaws to resolved or closed. This option imports all flaws without any restrictions.
        • All Unmitigated Flaws from all scans.
        • All Flaws Violating Policy, including all open flaws from all scans that affect policy.
        • All Unmitigated Flaws Violating Policy, including open flaws from all scans that affect policy. Selected by default.
        Note: The Flaw Importer task does not import vulnerabilities from Veracode Software Composition Analysis (SCA) scans as work items.

        When generating new work items for imported flaws, the extension also imports mitigation and annotation comments. If you add comments to a previously imported flaw with work items, the extension does not import the new comments to work items during subsequent flaw imports.

      • Work Item Type: select a work item type to apply to all imported flaws:
        Note: The Scrum process template does not support the Issue work item type. Also, the Veracode Flaw Importer task can only import flaws to customized work item types that do not contain required fields. If your customized work item types contain required fields, you must select different work item types that do not contain required fields, or the flaws fail to import.
      • Area: enter the path to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project name>\<area 1>\<area 2>. The value in <project name> is the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws.
    4. Add CWE as a Tag checkbox: add a tag with the CWE number to all the work items generated from the current build.
    5. Add Custom Tag: enter a custom tag name to add user-defined tags to all work items generated from current build.
    6. Add Found in Build checkbox: add a tag to the work item showing the build number of the build that contains the flaw.
    7. Flaw Import Limit: enter the maximum number of flaws to import at one time. The default is 1000.
    8. Advanced Scan Settings:
      • Proxy Settings: if you use a proxy to access Veracode, enter the proxy settings. For example:
        -phost abc.com - pport 5252 -puser proxyuser -ppassword proxypassword
        Note: Do not enclose any of the values in single or double quotations.
      • Team Foundation Server Password: do not change this value from the default of $(password).
  5. If you are using TFS, click the Variables tab. If using Azure DevOps, go directly to step 8.
  6. If you are using TFS 2017 or higher, set the enabletfs variable to true.
  7. If you are using TFS 2015, configure these variables:
    • enabletfs: enter true.
    • isTfs2015: enter true.
    • username: enter your Windows username.
    • password: enter your Windows password.
    • domain: enter the Windows domain.


  8. If you are using customized process templates, configure these predefined variables on the Variables tab in your build or release configuration:
    Note: The names of these predefined variables must match the variable names in your customized process templates.
    • enableCustomProcessTemplate: enter true to enable.
    • customWorkItemType: enter the work item type:
      • Bug
      • Epic
      • Feature
      • Issue
      • Task
      • Test Case
    • customPTActiveStatus: enter the state for in progress or active work.
    • customPTNewStatus: enter the state for new or proposed work.
    • customPTResolvedStatus: enter the state for resolved work.
    • customPTDesignStatus: enter the state for work in design or test.
    • customPTCloseStatus: enter the state for completed work.

    You configure these variables for the work item type (WIT) of which you are creating work items in your build or release configuration. The variables ensure that flaws import correctly if the status of a work item changes. See the Azure DevOps documentation for information on the work item states.

    For example, you might have a Bug work item with these state changes.


    Example state changes for a customized Bug work item.

    In your build or release configuration, you configure these variables in the customized process template for the Bug work item.


    Example predefined variables for a customized Bug work item.
  9. Click Save & queue to save your configurations and add the build to your queue.
After the flaw import task has completed successfully, the work items related to flaws in a given application appear in Azure DevOps or TFS. In Azure DevOps, you can search on the Work or Queries pages, for example, to find the work items you created.

Example Veracode flaw work items in Azure DevOps.

You can use a variable to prevent a password from appearing in a console log. See Hide a Proxy Password.