naftiko: 1.0.0-alpha2 info: label: Veracode DevSecOps Pipeline description: Unified workflow capability for integrating Veracode application security into DevSecOps pipelines. Enables development teams and security engineers to automate application onboarding, trigger security scans, retrieve findings filtered by severity and policy compliance, and generate compliance reports — all through a single unified API. Combines the Applications, Findings, and Reporting APIs. tags: - Veracode - DevSecOps - Application Security - SAST - DAST - CI/CD created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: VERACODE_API_ID: VERACODE_API_ID VERACODE_API_KEY: VERACODE_API_KEY capability: consumes: - type: http namespace: veracode-applications baseUri: https://api.veracode.com description: Veracode Applications REST API authentication: type: hmac apiId: '{{VERACODE_API_ID}}' apiKey: '{{VERACODE_API_KEY}}' resources: - name: applications path: /appsec/v1/applications description: Application portfolio management operations: - name: list-applications method: GET description: List all applications in portfolio with filtering inputParameters: - name: name in: query type: string required: false description: Filter by application name - name: policy_compliance in: query type: string required: false description: Filter by policy compliance status - name: tag in: query type: string required: false description: Filter by tag - name: modified_after in: query type: string required: false description: Filter by modification date - name: page in: query type: integer required: false description: Page number - name: size in: query type: integer required: false description: Page size outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-application method: POST description: Create a new application profile inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: profile: '{{tools.profile}}' - name: application-by-id path: /appsec/v1/applications/{applicationGuid} description: Individual application management operations: - name: get-application method: GET description: Get details for a specific application inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-application method: PUT description: Update an application profile inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: profile: '{{tools.profile}}' - name: delete-application method: DELETE description: Delete an application profile inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: policy-compliance path: /appsec/v1/applications/{applicationGuid}/policy_compliance description: Application policy compliance status operations: - name: get-policy-compliance method: GET description: Get policy compliance evaluation for an application inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: veracode-findings baseUri: https://api.veracode.com description: Veracode Findings REST API authentication: type: hmac apiId: '{{VERACODE_API_ID}}' apiKey: '{{VERACODE_API_KEY}}' resources: - name: findings path: /appsec/v2/applications/{applicationGuid}/findings description: Application security findings operations: - name: list-findings method: GET description: List security findings for an application with filtering inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID - name: scan_type in: query type: array required: false description: 'Filter by scan type: STATIC, DYNAMIC, MANUAL, SCA' - name: severity in: query type: integer required: false description: Filter by severity level 0-5 - name: severity_gte in: query type: integer required: false description: Minimum severity level - name: cwe in: query type: string required: false description: Filter by CWE ID - name: violates_policy in: query type: boolean required: false description: Only policy-violating findings - name: new in: query type: boolean required: false description: Only new findings outputRawFormat: json outputParameters: - name: result type: object value: $. - name: dynamic-flaw-info path: /appsec/v2/applications/{applicationGuid}/findings/{issueId}/dynamic_flaw_info description: Dynamic analysis flaw details operations: - name: get-dynamic-flaw-info method: GET description: Get detailed dynamic analysis vulnerability information inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID - name: issueId in: path type: integer required: true description: Finding issue ID outputRawFormat: json outputParameters: - name: result type: object value: $. - name: static-flaw-info path: /appsec/v2/applications/{applicationGuid}/findings/{findingId}/static_flaw_info description: Static analysis flaw code paths operations: - name: get-static-flaw-info method: GET description: Get static analysis flaw code path data inputParameters: - name: applicationGuid in: path type: string required: true description: Application GUID - name: findingId in: path type: integer required: true description: Finding ID outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: veracode-reporting baseUri: https://api.veracode.com description: Veracode Reporting REST API authentication: type: hmac apiId: '{{VERACODE_API_ID}}' apiKey: '{{VERACODE_API_KEY}}' resources: - name: reports path: /appsec/v1/analytics/report description: Asynchronous security report generation operations: - name: generate-report method: POST description: Submit a report generation request inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: report_type: '{{tools.report_type}}' scan_type: '{{tools.scan_type}}' status: '{{tools.status}}' severity: '{{tools.severity}}' - name: report-by-id path: /appsec/v1/analytics/report/{reportId} description: Report retrieval operations: - name: get-report method: GET description: Retrieve a generated report by ID inputParameters: - name: reportId in: path type: string required: true description: Report ID from generate request - name: page in: query type: integer required: false description: Page number - name: size in: query type: integer required: false description: Page size outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8080 namespace: veracode-devsecops-api description: Unified REST API for DevSecOps pipeline security automation. resources: - path: /v1/applications name: applications description: Application portfolio management operations: - method: GET name: list-applications description: List all applications with policy compliance filtering call: veracode-applications.list-applications with: name: rest.name policy_compliance: rest.policy_compliance tag: rest.tag outputParameters: - type: object mapping: $. - method: POST name: create-application description: Create a new application profile call: veracode-applications.create-application with: profile: rest.profile outputParameters: - type: object mapping: $. - path: /v1/applications/{applicationGuid} name: application-by-id description: Individual application management operations: - method: GET name: get-application description: Get application details call: veracode-applications.get-application with: applicationGuid: rest.applicationGuid outputParameters: - type: object mapping: $. - path: /v1/applications/{applicationGuid}/policy-compliance name: policy-compliance description: Policy compliance status operations: - method: GET name: get-policy-compliance description: Get policy compliance for an application call: veracode-applications.get-policy-compliance with: applicationGuid: rest.applicationGuid outputParameters: - type: object mapping: $. - path: /v1/applications/{applicationGuid}/findings name: findings description: Security findings from all scan types operations: - method: GET name: list-findings description: List findings with severity and scan type filtering call: veracode-findings.list-findings with: applicationGuid: rest.applicationGuid scan_type: rest.scan_type severity_gte: rest.severity_gte violates_policy: rest.violates_policy outputParameters: - type: object mapping: $. - path: /v1/reports name: reports description: Security compliance reports operations: - method: POST name: generate-report description: Generate an async security report call: veracode-reporting.generate-report with: report_type: rest.report_type scan_type: rest.scan_type status: rest.status severity: rest.severity outputParameters: - type: object mapping: $. - path: /v1/reports/{reportId} name: report-by-id description: Retrieve generated reports operations: - method: GET name: get-report description: Get report results by ID call: veracode-reporting.get-report with: reportId: rest.reportId outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: veracode-devsecops-mcp transport: http description: MCP server for AI-assisted DevSecOps security automation and vulnerability triage. tools: - name: list-applications description: List Veracode applications, optionally filtered by policy compliance status or name hints: readOnly: true openWorld: true call: veracode-applications.list-applications with: name: tools.name policy_compliance: tools.policy_compliance tag: tools.tag outputParameters: - type: object mapping: $. - name: get-application description: Get details for a specific Veracode application by GUID hints: readOnly: true idempotent: true call: veracode-applications.get-application with: applicationGuid: tools.applicationGuid outputParameters: - type: object mapping: $. - name: create-application description: Create a new application profile in the Veracode Platform hints: readOnly: false idempotent: false call: veracode-applications.create-application with: profile: tools.profile outputParameters: - type: object mapping: $. - name: get-policy-compliance description: Get policy compliance evaluation status for an application hints: readOnly: true idempotent: true call: veracode-applications.get-policy-compliance with: applicationGuid: tools.applicationGuid outputParameters: - type: object mapping: $. - name: list-findings description: List security findings for a Veracode application, filterable by scan type, severity, CWE, and policy violations hints: readOnly: true openWorld: true call: veracode-findings.list-findings with: applicationGuid: tools.applicationGuid scan_type: tools.scan_type severity_gte: tools.severity_gte cwe: tools.cwe violates_policy: tools.violates_policy outputParameters: - type: object mapping: $. - name: get-static-flaw-info description: Get static analysis flaw code path details for a specific finding hints: readOnly: true idempotent: true call: veracode-findings.get-static-flaw-info with: applicationGuid: tools.applicationGuid findingId: tools.findingId outputParameters: - type: object mapping: $. - name: generate-security-report description: Generate an asynchronous security findings or compliance report hints: readOnly: false idempotent: false call: veracode-reporting.generate-report with: report_type: tools.report_type scan_type: tools.scan_type status: tools.status severity: tools.severity outputParameters: - type: object mapping: $. - name: get-security-report description: Retrieve a generated security report by ID hints: readOnly: true idempotent: true call: veracode-reporting.get-report with: reportId: tools.reportId outputParameters: - type: object mapping: $.