Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library.

NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

Postman pre-request to add Veracode HMAC header.

CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.


Example Java project with a [bitbucket-pipelines.yml]( file showing how to use Veracode Static Analysis (policy and pipeline scans) and Veracode Software Composition Analysis (SCA Agent) in Bitbucket..

Example configurations for integrating Veracode scanning in various continuous integration systems.



Unofficial Veracode plugin for SonarQube.

App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.


short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

Rewrites Veracode Agent Based SCA json results in Gitlab readable report format in order to display results as dependency scanning on the pipeline run