SDK
Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library.
NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist
simple example of usage of the Veracode API signing library provided in the Veracode Help Center
PHP example of how to connect to the APIs, scan a couple of files and get results.
CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.
A simple Go package that follows the format of the existing HMAC Authentication Examples found in the Veracode Help Center.
Python helper library for working with the Veracode APIs. Handles retries, pagination, and other features of the modern Veracode REST APIs.
CI/CD
Allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel
provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)
his project contains three python scripts useful for working with Veracode projects in a build pipeline to break the build if any findings of a given severity or higher are found.
Veracode Upload and Scan Shell Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.
Example configurations for integrating Veracode scanning in various continuous integration systems.
Veracode Dynamic Analysis Azure Sample including script based authentication, and ISM configuration.
A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.
Example configurations for integrating Veracode scanning in various continuous integration systems.
Example configurations for integrating Veracode scanning in various continuous integration systems.
A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.
Seamlessly integrate Veracode SAST scans with Azure DevOps build pipelines (using Pipeline Scan).
Seamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines.
GitHub Action to import static policy findings to GitHub Security Code Scanning Alerts.
IDE
Scan an app with Veracode Pipeline Scan, and load results from a Veracode Pipeline Scan.
A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.
A plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.
Workflow
Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.
AWS Lambda commands that provide the ability to access Veracode application and build information from Slack.
React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.
Results
Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.
Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.
translate Veracode Pipeline Scan results into DetailedReport XML format, allowing you to import them into an IDE plugin for remediation.
Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.
This script outputs one CSV file per scan per application profile visible in a Veracode platform account. The output can be imported into Splunk for further analysis.
App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.
Console application that will retrieve data (all scans, flaws, mitigations etc) for a given AppId and store the results in a relational schema (only supports MSSQL Server currently) ready for plugging your favourite BI tool into!
Scripts
Script to check if an application profile in Veracode has a build running currently.
short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.
Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.
This script will pull all open findings across all sandboxes for all applications and calculate which mitigated (proposed, accepted, or rejected) findings only exist in a single sandbox, and therefore may be deleted when the sandbox is deleted.
Uses the Veracode Identity API to add roles (Security Labs User, Greenlight IDE User, or eLearning) to existing users.
Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.
Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.
A simple example to get the exiration dates of api credentials for your users
Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.
A simple example script to delete a Sandbox if it exists in a Veracode application profile and you have the appropriate permissions.
.NET Framework utility to extract useful data from Detailed Report XML file into CSV format
.NET Core utility to extract useful data from Detailed Report XML file into CSV format
Identify Veracode application profiles with one or more static scans in an incomplete state.
Uses the Veracode Agent Based Scan API and other Veracode REST APIs to automatically create a workspace for application profiles in a Veracode organization.