We use Veracode primarily for three purposes:
- Static Analysis, which is integrated into our CI/CD pipeline, using APIs.
- Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
- Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.