GitHub Actions
Veracode Software Composition Analysis (agent-based scan) as a GitHub Action. It also supports the generation of GitHub issues.
Import Veracode Static Analysis Flaws to GitHub Issues - GitHub Action. This action can be used in a workflow after a Veracode Static Analysis (either Pipeline Scan or Policy/Sandbox scan) to take the results of the scan and import them into GitHub as Issues.
this action runs the Veracode Pipeline-Scan. It supports all standard features beside generating a new baseline file and commit it back to different branch.
This action has a workflow which initiates a Veracode Static Analyis Pipeline Scan and takes the Veracode pipeline scan JSON result file as an input and transforms it to a SARIF format.
This action runs the Veracode Java Wrapper's 'upload and scan' action.
Documentations
A documentation how to integrate Veracode into Azure DevOps
How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.
A documentation how to integrate Veracode into GitHub
A documentation how to integrate Veracode into GitLab
Community Projects
Automating common Veracode Platform tasks
Developer Tools
Auto Packagers
CLI tool to automatically package a `Golang` application for Veracode Static Analysis
CLI tool to automatically package a `JavaScript` application for Veracode Static Analysis
CI/CD
undefined
undefined
provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)
Veracode Upload and Scan Bash Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.
add Veracode scanning to Bitrise CI.
Example configuration for zipping a project, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.
Example configurations for building a project with Maven, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.
In this repository you will find several examples for Veracode implementations created by the [M3Corp](https://github.com/M3Corp-Community) team. In the [Pipelines](https://github.com/M3Corp-Community/Veracode/tree/main/Pipelines) folder you can find how to implement in the most diverse CI/CD tools, such as [Azure](https://github.com/M3Corp-Community/Veracode/tree/main/Pipelines/Az%20DevOps), [GitLab](https://github.com/M3Corp-Community/Veracode/tree/main/Pipelines/GitLab), [GitHub Actions](https://github.com/M3Corp-Community/Veracode/tree/main/Pipelines/GitHub%20Actions) and [Jenkins](https://github.com/M3Corp-Community/Veracode/tree/main/Pipelines/Jenkins). Other implementation examples such as running in a [terminal](https://github.com/M3Corp-Community/Veracode/tree/main/SOs) and [translating the results](https://github.com/M3Corp-Community/Veracode/tree/main/FreeStyle) are also available. We normally publish in Portuguese, but the examples are completely understandable in other languages
unofficial Veracode shell integration for Jenkins Freestyle projects.
Seamlessly integrate Veracode SAST scans with Azure DevOps build pipelines (using Pipeline Scan).
custom fork of Verademo, featuring sample pipeline configurations for Bitbucket, Jenkins and Azure Pipelines.
XL Release for Veracode test automation.
A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.
How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.
produces badges for READMEs and other artifact repositories showing the status of Veracode policy scans.
This repository contains veracode examples in the form of use cases that can be run in end-user environments. Kubernetes. AWS CodePipeline. CircleCi to GCP Functions. Multi-tiered application leveraging various languages.
Various example scripts for Jenkins and GitLab pipelines, including both static and dynamic examples.
enables Veracode customers who want to use the Veracode Upload-and-Scan Static and SCA (not the Pipeline or the IDE scans) and get updates back in an asynchronous manner.
example YML files for Azure DevOps, Jenkins, GitLab, CircleCI. Pipelines include Veracode SCA Agent scans, Veracode Static Analysis policy and pipeline scans.
Azure DevOps
This plugin should make it easier to run the Veracode pipeline scan on Azure DevOps pipelines. The full scan jar is included within the plugin and don't need to be downloaded each time when the pipeline runs. In addition it will populate an additional tab on your pipeline run to display results in a more convinient way. The plugin will automatically update itself every night if a new version of the piepline scan jar is published.
This repository contains Azure DevOps scripts that can be referenced and used for integration with Veracode Analysis tools.
Saves new Veracode SCA findings as Azure DevOps Work Items.
Samples of Azure YML files that work with Veracode scanning
Seamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines.
Veracode Dynamic Analysis Azure Sample including script based authentication, and ISM configuration.
Plugin made to run after the regular import to update the work items with an assigned user and a linked Work Item.
GitHub Action to import static policy findings to GitHub Security Code Scanning Alerts.
Yaml files to get started with Veracode on Azure DevOps. Accompanies this [blog post](https://community.veracode.com/s/blog/user-story-how-we-set-up-veracode-in-a-large-azure-project-MCT4HNONEE55CIFA6O3ULXNUW2BI).
GitHub
An Action to handle Sandboxes mainly as a set of clean-up activities such as: deleting a sandbox and promoting Sandbox scan to Policy Scan with or without deleting the sandbox
Build tools
Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.
sbt plugin for Veracode.
IDE's
Compliments Veracode's official IntelliJ IDE integration with support for other Jetbrains IDE products. It enables you to download the SAST result from Veracode Platform into your Jetbrains IDE.
a plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.
VSCode plugin which integrate with the Veracode platform and enables downloading of scan results (findings) for both Static and SCA (Upload-and-Scan), run pipeline scan, and submit mitigations [Link to the plugin in VSCode marketplace](https://marketplace.visualstudio.com/items?itemName=YaakovLerer.veracode)
A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.
API Testing Tools
An extension for the RapidAPI (Paw) REST Client to authenticate into the Veracode REST APIs using HMAC.
Pre-request authentication script and instructions for accessing Veracode APIs from [Bruno](https://www.usebruno.com/).
Pre-request authentication script and instructions for accessing Veracode APIs from Postman.
Other
allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel
Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.
PowerShell script for pushing binaries to Veracode using Java API.
PHP example of how to connect to the APIs, scan a couple of files and get results.
A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.
Pipeline Scan Projects
Dynamic Analysis Projects
Results Collection and Display
Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.
Python script to retrive Collection results and output to PDF, CSV and/or JSON format.
Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.
Python script that creates a License Notice file (sometimes called an Attribution Report) for an application that has been scanned by Veracode SCA.
Veracode scan collector and parser for the [Hygieia dashboard](https://github.com/Hygieia/ExecDashboard).
A graph conversion tool for Veracode.
Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.
Integration with ITSM | CSC | ESM tool called [TopDesk](https://www.topdesk.com/).
Veracode AST and Security Labs utility in .NET Core.
App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.
Console application that will retrieve data (all scans, flaws, mitigations etc) for a given AppId and store the results in a relational schema (only supports MSSQL Server currently) ready for plugging your favourite BI tool into!
Retrieves all the data available from the Veracode Reporting API from a specific start date
Converts the JSON output of a Veracode container scan into HTML.
Display, sort and filter Container Security JSON results.
Rewrites Veracode's Agent Based SCA json results in Gitlab readable report format in (orde)r to display results as dependency scanning on the pipeline run
A little Java Script will download json results from a Veracode policy or sandbox scan into Gitlab readable report format in order display results as SAST results on the pipeline run and create Gitlab issues on the findings
.NET Framework utility to extract useful data from Detailed Report XML file into CSV format
.NET Core utility to extract useful data from Detailed Report XML file into CSV format
Use this tool to compare two Veracode Static Analysis (SAST) scans to understand why they are different.
Produces a SAST scan health report with guidance on changes to make in order to improve the packaging and module selection to achieve greater flaw accuracy.
This script checks for the results of the latest scan for an application profile (and optionally a sandbox) and returns all the results that meet a minimum severity criteria. Can optionally consider SCA results and fail a build.
Generates a PDF report for a Veracode Agent-Based SCA project.
User Provisioning, Management and Deprovisioning
Code and documentation on configuring Azure Active Directory to automatically create teams as part of the just-in-time provisioning workflow via SAML.
A simple example to get the exiration dates of api credentials for your users.
This script allows for bulk modifying and/or creating users in Veracode.
Get a list of users with their attributes.
Deactivates a provided list of users on the Veracode Platform.
A completed User management tool write in Powershell using the Veracode APIs. This version is completed in Portuguese, and you can use to create, block, delete and update users, in Windows, Linux or Mac terminal.
A completed User management tool write in Powershell using the Veracode APIs. You can use to create, block, delete and update users, in Windows, Linux or Mac terminal. This a simplified and translated version from the original in [Portuguese](https://github.com/IGDEXE/Veracode-UM).
Uses the Veracode Identity API to add roles (Security Labs User, Greenlight IDE User, or eLearning) to existing users.
Application Vulnerability Correlation
Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.
HMAC Signing Libraries
NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist
simple example of usage of the Veracode API signing library provided in the Veracode Help Center
short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.
A PowerShell example for doing HMAC authentication to the Veracode APIs.
Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library
CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.
A simple Go package that follows the format of the existing HMAC Authentication Examples found in the [Veracode Help Center](https://docs.veracode.com/r/c_hmac_signing_example_c_sharp).
API Wrappers
Wrapper written in Go for easy use of Veracode APIs
Node.js API client.
Ruby Wrapper for the Veracode API.
Client code using the Veracode REST and XML APIs. Includes handlers for Veracode Dynamic Analysis scanning.
Python helper library for working with the Veracode APIs. Handles retries, pagination, and other features of the modern Veracode REST APIs.
Other Integrations
Bash script for scanning a directory of code with the Veracode platform.
Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.
React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.
Automated way to check application status and DevSecops compliance.
Node.js package for automating Veracode scanning from the command line.
Secure Codeing Examples
Code samples showing how to use the Java Crypto API securely. Accompanying code for the [Java Crypto blog series](https://www.veracode.com/blog/research/how-get-started-using-java-cryptography-securely).
Insecure Applications
undefined
Sample insecure application written in Javascript, showing vulnerabilities in realistic Javascript code.
Bringing the 2 demo apps above VeraDemoJave and VeraDemoAPI together and start them within a docker environment. You will get a Java Web Application, a JavaScript node express API. a MySQL database and a vulnerable container.
Sample insecure application written in Java, showing vulnerabilities in realistic Java code.
Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.
Automating Security Labs Tasks
Python scripts to automate various administrative tasks in Veracode Security Labs.