Skip to main content

Help us improve the Digital Marketplace - send your feedback

  1. Digital Marketplace
  2. Lot 2: Cloud software
  3. Static Application Security Testing (SAST)
tmc3 Limited

Static Application Security Testing (SAST)

Veracode Static Analysis (SAST) is an enterprise-class application security solution, which allows DevOps teams to shift-left in their security approach. Veracode Static Analysis provides fast, automated feedback to developers in the IDE and CI/CD pipeline, conducts a full Policy Scan before deployment, and gives clear guidance to fix issues fast.


  • Veracode Static Application Security Testing (SAST): identify and remediate vulnerabilities
  • Veracode Pipeline Scanning: SAST for build pipeline
  • Veracode IDE Scanning: integrated continuous flaw feedback and education solution
  • Pipeline scan provides security-feedback on code at a team level
  • Just-in-time learning to empower developers to remediate faster
  • Veracode Discovery – quickly inventory Internet-facing applications
  • Interactive Developer Training – Help developers write secure code
  • 9-Time Leader in the Gartner Magic-Quadrant for application security scanning
  • Provides visibility into application status across all testing types
  • Automated security feedback to developers in the IDE and pipeline


  • Shift-left in your Secure Software Development Lifecycle (SSDLC)
  • Develop better quality and more secure software, faster
  • Manage risks of using open source / third party code
  • Industry Leading Accuracy: Veracode’s false positive rate is around 1%
  • Veracode is the only native SaaS application security solution
  • Reduce remediation time by up to 90%
  • Manage risk and satisfy compliance requirements, without interrupting developer workflows
  • Median scan time of 90 seconds enables quicker code fix
  • Comprehensive integrations with Development, Security and Operations
  • Remove development re-work, reducing cost and improving output


£225 to £7,754 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

8 1 7 6 2 2 5 0 2 0 1 3 1 2 2


tmc3 Limited Nathan Tittensor
Telephone: 0113 8730449

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
Veracode is a Cloud service that does not require the installation of hardware. Maintenance windows are advised in advance to users. Uptime can be monitored here:

Supported integrations are detailed at
System requirements
  • Web browser
  • whitelisting e.g. or
  • Software packaged in accordance to our compilation guide at
  • Supported languages and frameworks listed at for technologies
  • Full list of requirements for tool chain support at

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Technical Support response times are details here:
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Without purchase of a designated customer success bundle, the buyer will receive entry-level support to address any issues that relate to service disruption and necessary bug fixes and service restoration. Service levels for entry-level support is detailed at the following address: We recommend to all buyers that they include an appropriate Customer Success Bundle, based on licence requirements to meet their likely needs. Scanning software with Veracode is easy. A user can receive results within minutes, and in some cases seconds. Application security though is hard. Helping to instil a secure-by-design culture, that embraces continuous feedback is not easy. Software and technical environments may be complex. We support over 100 languages and frameworks. From time-to-time, the buyer organisation's engineers will most likely need guidance about which configuration is optimal. Developers often need to challenge and be listened to. A tool alone cannot meet the need of development teams to engage in dialogue and receive coaching on best practice. Veracode offers different tiers of service packages to match the number of applications that are being assessed. These cover 'Advanced Technical Support', 'Remediation Coaching' and 'Security Programme Management'.
Support available to third parties

Onboarding and offboarding

Getting started
As Veracode offers a SaaS platform, there is limited setup. Customers can scan their applications through several integrations, including automated pipelines.

The Veracode Security Programme Manager (SPM) can provide on-boarding assistance. The SPM will schedule an on-boarding call to give the development team a demo of the Veracode platform and make sure that platform accounts are created. An Upload Call is highly encouraged for an application’s first scan. Veracode Security Consultants will provide advice on how to configure and submit binaries for scanning to ensure full coverage and quality. Contact for scheduling with your availability. Online training and help materials are available to assist on-boarding of users and applications. Onsite training and consultation is available subject to prior agreement.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Customers can download all their previous scan data and reports from the Veracode browser console, or via the API at the end of the contract. This is the responsibility of the customer.

Data can be extracted via XML, PDF, and XLS files. This can be retrieved via the user interface or by API calls.
End-of-contract process
No additional costs.

Except for the Statistical Data, Veracode shall destroy data using industry standard methods (i) all copies of each Customer Application within sixty (60) days following the availability of the Report related thereto or earlier if requested by Customer and (ii) all copies of the results of the Assessments of each Customer Application (excluding the Statistical Data), Customer Confidential Information, and all associated documentation and related materials provided by Customer within sixty (60) days following any termination or expiration of this Agreement or earlier if requested by Customer; and upon request, Veracode shall confirm such destruction in writing. Upon the expiration or termination of any Order Form granting Customer access to On-Site Software, Customer shall promptly destroy such On-Site Software.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
Designed for use on mobile devices
Service interface
User support accessibility
WCAG 2.1 AA or EN 301 549
What users can and can't do using the API
API calls and supported integrations in general are described at , or specifically here: The user does not need to login to the Veracode Platform via a web browser to interact with scanning services - this can be automated by the API. In terms of limitations on API calls, a fair use policy applies which should not restrict normal reasonable scan operations or platform requests.
API documentation
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Customisation available
Description of customisation
Branding options exist within the Veracode Platform. Role-based access control (RBAC) - covering a wide variety or user types and group allocations. Communication preferences. Login via Single Sign-on (SSO) Additional customisations may be considered on request.


Independence of resources
The Veracode Platform uses auto-scaling compute resources provided by AWS.

The Veracode platform is an auto-scaling SaaS offering. As demand increases, more resources are provisioned to handle the extra scanning demand. Veracode handles hundreds of thousands of scans per month across thousands of customers.


Service usage metrics
Metrics types
Customisable service metrics dashboards can be define within the Analytics package. Default dashboards are provided. Information about Analytics is provided here: Default Dashboards: Policy Compliance Overview, Scan Activity, Sandbox Scan Activity, Scan Times, Findings Details, Findings Status and History, Resolution and Mitigation Details, Security Consultation. If you want to view data differently than the predefined dashboards, you can modify existing dashboards and visualizations to suit your own needs. You have the ability to customize dashboards and visualizations to view your data in different ways.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra support
Organisation whose services are being resold

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Application data can be uploaded manually through the Veracode browser console, or automated via the API. When working at scale with several applications, application data is typically uploaded via the API in a CI/CD pipeline.

Via the Veracode Platform through the UX or via API Data formats in main Veracode Platform: CSV, XML, PDF Within analytics module: TXT, XLSX, CSV, JSON, HTML or PNG for dashboard views
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service Level: Veracode shall maintain the Availability Percentage (as defined below) of the automated Solution (the “Automated Solution”) at or above ninety-nine percent (99%) during any calendar month. “Availability Percentage” is expressed as the percentage defined as (i) the Availability (as defined below) less any Unavailability (as defined below) during any particular calendar month divided by (ii) the total number of minutes during such calendar month. “Unavailable” or “Unavailability” consists of the number of minutes during a particular calendar month that the Automated Solution was not Available to Customer, but expressly excludes any time the Automated Solution was not Available as a result of (i) any planned maintenance and support, not to exceed 8 hours per calendar month, which shall generally occur on average twice per calendar month during maintenance windows between the hours of 9PM ET and 4AM ET or on non-business days (which Veracode shall endeavour to notice on the Veracode platform at least three Business Days in advance) or such other mutually convenient time as agreed upon between the parties; or (ii) an event of Force Majeure as described in the Agreement.
Approach to resilience
This information is defined in the Veracode Information Security Exhibit and is available with a mutual non-disclosure agreement.
Outage reporting
API, email alerts and public dashboard Information is available here:

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Source IP Address can be restricted. Accounts may be restricted for 2FA-only access (recommended). Account access can be restricted to be accessed by SAML 2.0 trust contract only.

Veracode defines access control objectives to manage access to information; prevent unauthorized access to information systems; ensure the protection of networked services; prevent unauthorized computer access; detect unauthorized activities; and ensure information security when mobile computing network facilities are used. This section provides standards that are required to comply with Veracode’s Access Control objectives.

Please see the Veracode Information Security Exhibit (VISE) Section titled “Access Control” for more information.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications
Any other security certifications
SOC II Type 2 Report

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
SOC II TYPE 2 (Audited)
Information security policies and processes
These are articulated with the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Veracode has a formal change management process in place.

Our change management tools (e.g., code-versioning software and online ticketing system) maintain a record of all changes, including the implementer’s name, approvers’ names, implemented solution, roll-back plans, and any issues arising from the change.

Role-based Access Control is applied to ensure segregation of duties and prevent unauthorized changes.

See also the Veracode SOC 2 report for validation of testing.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All systems within the platform are set up and managed by experts according to industry best practices where hardened configurations are used to limit unnecessary attack vectors. All configuration activity follows a formal process that encompasses documentation, testing and approval. Only authorized personnel are allowed to set up and manage systems. Operating system patches are monitored and applied as necessary to maintain the highest level of security.

Critical and severe patches are handled on a case-by-case basis and resolved as soon as possible.

High-severity patches are patched within 30 days.

Timeframes for patches categorized based on severity
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Operational and security logs are forwarded and consolidated into Veracode’s Splunk instance. Veracode’s 3rd party Managed Security Services Provider (MISP) ingests these files and other files sent directly to them for monitoring. Based on industry standard alert types and Veracode specific monitoring requests the MISP will notify Veracode’s Internal Information Security team of alerts requiring their attention based on severity.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Veracode has a dedicated Product Security Incident Response Team (PSIRT)
Their responsibilities include:

• Tactical cross-functional product teams who assess immediate and emerging threats to Veracode’s Products & Services Systems

• Develops direct tactical response plans (countermeasures) to secure Veracode’s Products & Services Systems

• Provides opportunities for collaboration between Research and Engineering on new and existing security initiatives

• Comprised of Security Champions who are sources of security expertise for their team to embed security more deeply into the SDLC

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

At Veracode, we aim to be efficient and sustainable in our operations, minimizing our environmental impact wherever possible. Veracode operates in a LEED Gold certified building, the highest standard for green certification for buildings. This LEED certification ensures that we minimize our energy and water consumption, avoid waste, improve indoor air quality, and limit our environmental impact. Our headquarters is also an Energy Star certified campus, meeting the strict energy performance standards set by the EPA.
We are committed to increasing our purchase of recycled and reusable items, and have set goals to audit our waste streams and increase our diversion rates. In addition, we:
• Employ a single stream recycling and composting program in our cafe
• Use completely paperless and digital services for client-facing work
Equal opportunity

Equal opportunity

At Veracode, we believe that diversity of background, thought, and experience is what drives innovation and resilience. We recognize that representation is critical to building a true culture of belonging, and we strive to continuously create a more diverse and inclusive team across every level of our business.

Our passion, strength, and uncompromising commitment to making secure software a competitive advantage for our customers come from the incredible individuals – we call them Veracoders – who make up our team. We value diversity and celebrate our differences, not only because it’s the right thing to do, but also because it’s good for our business.

We’ve made a public pledge to recruit, hire, and advance a more diverse and inclusive workforce. We’re putting that pledge into practice through initiatives including a recruiting collaboration with PowertoFly to reach underrepresented populations of candidates, and joining the MassTLC Tech Compact for Social Justice – a unified effort among tech companies to combat racial inequality and support a more welcoming Massachusetts to black Americans and people of color. Through this compact, our initiatives include providing our employees with education and resources, making charitable donations that progress racial and social justice, removing insensitive/oppressive terminology from our products, and providing our data to support a compilation of aggregated employee demographics.

In addition, although we are proud of the diversity we have at Veracode, and 40 percent of our executive team is female, we’re committed to doing better and improving our gender diversity at all levels. We’re partnering with McKinsey to understand how we compare to other technology companies with respect to women in the workforce, and to explore ways to improve those numbers.


£225 to £7,754 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Typical trial is 10 days in duration. 5 SAST Licences (including Pipeline and IDE scanning), 5 DAST Licences, 5 Software Composition Analysis Licences, 1 eLearning Licence. Granting of a free trial is subject to the buyer disclosing objectives or success factors for the trial.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.