Import Flaws into Azure DevOps

Ticketing Systems

The Veracode Azure DevOps Extension automates the upload of your code from Azure DevOps to Veracode for scanning, enabling you to integrate Veracode Static Analysis into your software development lifecycle. The extension can also import flaws into Azure DevOps as work items.

Before you begin

These items should be in the same TFS team project collection:
  • The project to which the running release or build job belongs, where the Flaw Importer task is running.
  • The project to which you want to import the flaws.
A TFS team project collection is also known as an organization in Azure DevOps.

About this task

To be able to use the Veracode Azure DevOps Extension flaw import feature in the on-premise version of Visual Studio Team Foundation Services (TFS) 2015.2 and later, you must configure additional build parameters as part of the build definition.

To configure build parameters for flaw import use:


  1. In your project, go to the Build tab and navigate to your build definition. Select Add build step....
  2. Select Import flaws and click Add.
  3. In the Import flaws window on the right, provide the following information:
    1. Connection details: Choose to connect to Veracode using an endpoint or your Veracode credentials. If connecting using an endpoint, enter an existing endpoint name or click Manage to create a new endpoint.
    2. Flaw Source: Enter the application name and, if applicable, the sandbox name, from which you want to import the flaws.
    3. Work Item Generation Settings:
      • Select the type of flaws you want to import:
        • All flaws (from all scans, including closed flaws)
        • All unmitigated flaws (from all scans, including closed flaws)
        • All flaws that affect policy (all open flaws from all scans that affect policy)
        • All unmitigated flaws that affect policy (all unmitigated, open flaws from all scans that affect policy)
      • Area: Enter the path to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project name>\<area 1>\<area 2>. The value in <project name> refers to the name of the project for which you want to import flaws that was added in the Build Pipeline or Release Pipeline task. Prerequisites describes the requirements for projects.
    4. Advanced Scan Settings: In this section you can enter:
      • Proxy settings, if applicable (-puser, -pport, -phost, -ppassword)
      • Team Foundation Server password


After you provide the required information, queue the build and TFS imports all the flaws. The imported flaws are then visible in the work items list of the specified area.
The flaws appear in the work items list.