GitHub Actions


A documentation how to integrate Veracode into Azure DevOps

How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.

A documentation how to integrate Veracode into GitHub

A documentation how to integrate Veracode into GitLab

Community Projects

Automating common Veracode Platform tasks

Allows for adding teams to workspaces in bulk.

Script to check if an application profile in Veracode has a build running currently. It also provides an option to delete the build if there is one running.

A simple example script to check pass/fail status of a Veracode app profile (or sandbox) or for a list of app profiles with out sandboxes.

Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.

This project contains three python scripts useful for working with Veracode projects in a build pipeline to break the build if any findings of a given severity or higher are found.

This script allows for bulk setting of roles and permissions for Veracode users.

This plugin creates a list of sandboxes in all available application profiles.

Java Script that will automatically delete Sandboxes from a profile via a configured threshold and the number of Sandboxes to be deleted.

Allows for bulk generation of SBOM json files. It works for both US and EU instances and has support for Upload and Scan and Agent-based scan.

Gets the SBOM for a single Application Profile or Workspace/Project pair.

Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

Pulls latest PDF reports from Veracode for recent Static and Dynamic scans.

This will promote the latest scan of a named sandbox.

This tool performs bulk mitigation actions on open SAST flaws reported in multiple application profiles. The definitions of what to mitigate (e.g. file name, line number) and the mitigation comments and actions to apply are defined via a JSON file. Application profile names to target are specified via a text file or alternatively a flag can be set to process all application profiles.

This script will pull all open findings across all sandboxes for all applications and calculate which mitigated (proposed, accepted, or rejected) findings only exist in a single sandbox, and therefore may be deleted when the sandbox is deleted.

Identify Veracode application profiles with one or more static scans in an incomplete state.

Uses the Veracode Agent Based Scan API and other Veracode REST APIs to automatically create a workspace for application profiles in a Veracode organization.

A simple example script to delete a Sandbox if it exists in a Veracode application profile and you have the appropriate permissions.

Developer Tools

Auto Packagers

CLI tool to automatically package a `Golang` application for Veracode Static Analysis

CLI tool to automatically package a `JavaScript` application for Veracode Static Analysis




provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)

Veracode Upload and Scan Bash Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.

add Veracode scanning to Bitrise CI.

Example configuration for zipping a project, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

Example configurations for building a project with Maven, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

In this repository you will find several examples for Veracode implementations created by the [M3Corp]( team. In the [Pipelines]( folder you can find how to implement in the most diverse CI/CD tools, such as [Azure](, [GitLab](, [GitHub Actions]( and [Jenkins]( Other implementation examples such as running in a [terminal]( and [translating the results]( are also available. We normally publish in Portuguese, but the examples are completely understandable in other languages

unofficial Veracode shell integration for Jenkins Freestyle projects.

Seamlessly integrate Veracode SAST scans with Azure DevOps build pipelines (using Pipeline Scan).

custom fork of Verademo, featuring sample pipeline configurations for Bitbucket, Jenkins and Azure Pipelines.

XL Release for Veracode test automation.

A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.

How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.

produces badges for READMEs and other artifact repositories showing the status of Veracode policy scans.

This repository contains veracode examples in the form of use cases that can be run in end-user environments. Kubernetes. AWS CodePipeline. CircleCi to GCP Functions. Multi-tiered application leveraging various languages.

enables Veracode customers who want to use the Veracode Upload-and-Scan Static and SCA (not the Pipeline or the IDE scans) and get updates back in an asynchronous manner.

example YML files for Azure DevOps, Jenkins, GitLab, CircleCI. Pipelines include Veracode SCA Agent scans, Veracode Static Analysis policy and pipeline scans.

Azure DevOps

This plugin should make it easier to run the Veracode pipeline scan on Azure DevOps pipelines. The full scan jar is included within the plugin and don't need to be downloaded each time when the pipeline runs. In addition it will populate an additional tab on your pipeline run to display results in a more convinient way. The plugin will automatically update itself every night if a new version of the piepline scan jar is published.

This repository contains Azure DevOps scripts that can be referenced and used for integration with Veracode Analysis tools.

Saves new Veracode SCA findings as Azure DevOps Work Items.

Samples of Azure YML files that work with Veracode scanning

Seamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines.

Veracode Dynamic Analysis Azure Sample including script based authentication, and ISM configuration.

Plugin made to run after the regular import to update the work items with an assigned user and a linked Work Item.

GitHub Action to import static policy findings to GitHub Security Code Scanning Alerts.

Yaml files to get started with Veracode on Azure DevOps. Accompanies this [blog post](


An Action to handle Sandboxes mainly as a set of clean-up activities such as: deleting a sandbox and promoting Sandbox scan to Policy Scan with or without deleting the sandbox

Build tools

Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.

sbt plugin for Veracode.


Compliments Veracode's official IntelliJ IDE integration with support for other Jetbrains IDE products. It enables you to download the SAST result from Veracode Platform into your Jetbrains IDE.

a plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.

VSCode plugin which integrate with the Veracode platform and enables downloading of scan results (findings) for both Static and SCA (Upload-and-Scan), run pipeline scan, and submit mitigations [Link to the plugin in VSCode marketplace](

Scan an app with Veracode Pipeline Scan, and load results from a Veracode Pipeline Scan. [Link to the plugin in VSCode marketplace](

A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.

API Testing Tools

Adds an HMAC authentication header to Veracode API requests in Insomnia.

Pre-request authentication script and instructions for accessing Veracode APIs from Postman.


allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel

Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.

PowerShell script for pushing binaries to Veracode using Java API.

AWS Lambda commands that provide the ability to access Veracode application and build information from Slack.

Unofficial Veracode plugin for SonarQube.

PHP example of how to connect to the APIs, scan a couple of files and get results.

A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.

Docker image with all Veracode tools pre-installed.

Pipeline Scan Projects

translate Veracode Pipeline Scan results into DetailedReport XML format, allowing you to import them into an IDE plugin for remediation.

reads the JSON output of a Veracode Pipeline Scan and converts it into a standard JUnit test results XML file.

checks if there are any issues present on a pipeline results file that aren't present on another, supporting filtering by severity.

run a Veracode Pipeline Scan and generate a human-readable .HTML file from the Veracode pipeline verification results.json file.

Sends output of Pipeline Scan to a comment on a pull request.

GitHub Action to perform a Veracode Pipeline Scan and, optionally, compare the results against a set of baseline results.

Dynamic Analysis Projects

Adds a list of urls to the blocklist for an existing DAST scan.

Dynamic Analysis API Examples. Currently includes example code for using the Scanner Variables feature, where credentials can be defined and updated at the account level, and referenced in Selenium login scripts.

Resets all recurrent scheduled analysis jobs configured for one year that have expired.

Results Collection and Display

Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.

Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.

Python script that creates a License Notice file (sometimes called an Attribution Report) for an application that has been scanned by Veracode SCA.

Python script to generate a Software Bill of Materials (SBOM) for an application in either CycloneDX or SPDX format.

Veracode scan collector and parser for the [Hygieia dashboard](

A graph conversion tool for Veracode.

Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.

Summary statistics for a Veracode account on the command line.

Integration with ITSM | CSC | ESM tool called [TopDesk](

Veracode AST and Security Labs utility in .NET Core.

App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.

Console application that will retrieve data (all scans, flaws, mitigations etc) for a given AppId and store the results in a relational schema (only supports MSSQL Server currently) ready for plugging your favourite BI tool into!

Retrieves all the data available from the Veracode Reporting API from a specific start date

Converts the JSON output of a Veracode container scan into HTML.

Display, sort and filter Container Security JSON results.

Rewrites Veracode's Agent Based SCA json results in Gitlab readable report format in (orde)r to display results as dependency scanning on the pipeline run

A little Java Script will download json results from a Veracode policy or sandbox scan into Gitlab readable report format in order display results as SAST results on the pipeline run and create Gitlab issues on the findings

.NET Framework utility to extract useful data from Detailed Report XML file into CSV format

.NET Core utility to extract useful data from Detailed Report XML file into CSV format

Use this tool to compare two Veracode Static Analysis (SAST) scans to understand why they are different.

Produces a SAST scan health report with guidance on changes to make in order to improve the packaging and module selection to achieve greater flaw accuracy.

This script outputs one CSV file per scan per application profile visible in a Veracode platform account. The output can be imported into Splunk for further analysis.

User Provisioning, Management and Deprovisioning

Code and documentation on configuring Azure Active Directory to automatically create teams as part of the just-in-time provisioning workflow via SAML.

A simple example to get the exiration dates of api credentials for your users.

Get a list of users with their attributes.

Deactivates a provided list of users on the Veracode Platform.

A completed User management tool write in Powershell using the Veracode APIs. This version is completed in Portuguese, and you can use to create, block, delete and update users, in Windows, Linux or Mac terminal.

A completed User management tool write in Powershell using the Veracode APIs. You can use to create, block, delete and update users, in Windows, Linux or Mac terminal. This a simplified and translated version from the original in [Portuguese](

Uses the Veracode Identity API to add roles (Security Labs User, Greenlight IDE User, or eLearning) to existing users.

Application Vulnerability Correlation

Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.

HMAC Signing Libraries

NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

simple example of usage of the Veracode API signing library provided in the Veracode Help Center

short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

A PowerShell example for doing HMAC authentication to the Veracode APIs.

Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library

CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.

Go package that creates an authorization header using Veracode API Key and ID.

A simple Go package that follows the format of the existing HMAC Authentication Examples found in the [Veracode Help Center](

API Wrappers

Wrapper written in Go for easy use of Veracode APIs

Node.js API client.

Ruby Wrapper for the Veracode API.

Client code using the Veracode REST and XML APIs. Includes handlers for Veracode Dynamic Analysis scanning.

Python helper library for working with the Veracode APIs. Handles retries, pagination, and other features of the modern Veracode REST APIs.

Other Integrations

Bash script for scanning a directory of code with the Veracode platform.

Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.

React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.

Automated way to check application status and DevSecops compliance.

Node.js package for automating Veracode scanning from the command line.

Lambda function for automating Veracode static scans

Secure Codeing Examples

Code samples showing how to use the Java Crypto API securely. Accompanying code for the [Java Crypto blog series](

Insecure Applications


NodeGoat, built w/CircleCI, showing how to use a yaml file to scan w/Veracode.

Sample insecure application written in Javascript, showing vulnerabilities in realistic Javascript code.

Bringing the 2 demo apps above VeraDemoJave and VeraDemoAPI together and start them within a docker environment. You will get a Java Web Application, a JavaScript node express API. a MySQL database and a vulnerable container.

Sample insecure application written in Java, showing vulnerabilities in realistic Java code.

Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.

Automating Security Labs Tasks

Python scripts to automate various administrative tasks in Veracode Security Labs.