Veracode Community Open Source Projects

A collection of useful open source projects that integrate with the Veracode APIs to automate scanning, results retrieval and other tasks.

These projects are community contributed and not supported by Veracode. For a list of supported projects, please see the listing of projects on Veracode.com.

View the Landing Page or the Contribution Guidelines to get started!

Contents

• Automating common Veracode Platform tasks
• Developer tools
  • CI/CD
  • Build tools
  • IDEs
  • API testing tools
  • Other
• Pipeline Scan projects
• Results collection and display
• Application vulnerability correlation
• HMAC Signing libraries
• API wrappers
• Other integrations
• Secure coding examples
• Insecure applications

Automating common Veracode Platform tasks

• Veracode_Delete_Sandbox (Christyson) - A simple example script to delete a Sandbox if it exists in a Veracode application profile and you have the appropriate permissions.

• Check Build Status (Christyson) - Script to check if an application profile in Veracode has a build running currently.

• Veracode API Credentials Expiry (Christyson) - A simple example to get the exiration dates of api credentials for your users.

• VcodeAutoMitigate (Brian1917) - Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

• VcodeMitigationExpire (Brian1917) - Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.

• Veracode Break the Build by Severity (Christyson) - This project contains three python scripts useful for working with Veracode projects in a build pipeline to break the build if any findings of a given severity or higher are found.

• Veracode Mitigation Copier (Tjarrettveracode) - Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

• Veracode BCA Builder (Brian1917) - Shell script to generate the BCA package to scan an iOS app.

• Veracode Sandbox Mitigated Unique Findings (Ctcampbell) - This script will pull all open findings across all sandboxes for all applications and calculate which mitigated (proposed, accepted, or rejected) findings only exist in a single sandbox, and therefore may be deleted when the sandbox is deleted.

• Veracode User Bulk Role Assign (Tjarrettveracode) - Uses the Veracode Identity API to add roles (Security Labs User, Greenlight IDE User, or eLearning) to existing users.

• Veracode Workspace Auto Create (Tjarrettveracode) - Uses the Veracode Agent Based Scan API and other Veracode REST APIs to automatically create a workspace for application profiles in a Veracode organization.

Developer tools

CI/CD

• Bamboo (Buzzcode) - full featured Bamboo plugin including configuration UI, wait for scan to complete, and "break the build" functionality

• Bamboo/Jira (Buildcom) - provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)

• Bitrise-step-veracode-scan (Psoladoye-geotab) - add Veracode scanning to Bitrise CI.

• CircleCI (Unregistered436) - Veracode Upload and Scan Shell Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.

• ConcourseCI, Gitlab, Travis (Ctcampbell) - Example configurations for integrating Veracode scanning in various continuous integration systems.

• Concourse (Veracode-Resource) (Cardinal Health) - A concourse resource-type to allow publishing and retrieving scan results from Veracode.

• easy_sast - A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.

• Jenkins (Jenkins Shell) (Ian C Leonard) - unofficial Veracode shell integration for Jenkins Freestyle projects.

• Unofficial Veracode Pipeline Scan (Ctcampbell) - NPM package for Veracode Pipeline Scan API.

• Veracode Azure YML Samples (Clintpollock) - Samples of Azure YML files that work with Veracode scanning

• Veracode Dynamic Analysis Azure Sample - (Jphillips-vc) - Veracode Dynamic Analysis Azure Sample including script based authentication, and ISM configuration.

• veracode-scripts - Various example scripts for Jenkins and GitLab pipelines, including both static and dynamic examples.

• XebiaLabs Release Veracode Plugin (XebiaLabs-Community) - XL Release for Veracode test automation.

Build tools

• Gradle (CalgaryScientific, based on Kctang) - Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.

• Sbt-veracode (Sullis) - sbt plugin for Veracode.

IDEs

• VSCode-Veracode (Buzzcode) - a plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.

• vsccode-veracode-sca (Lerer) - A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.

• unofficial-vs-code-veracode-pipeline-scan (Ctcampbell) - Scan an app with Veracode Pipeline Scan, and load results from a Veracode Pipeline Scan.

API testing tools

• Insomnia (Ctcampbell) - Adds an HMAC authentication header to Veracode API requests in Insomnia.

• Postman pre-request authentication header (Ctcampbell) - Postman pre-request to add Veracode HMAC header.

Other

• Ansible (Telus Digital) - allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel

• Dynamic Scan and Wait for Result (Christyson) - Extends the Java API Wrapper to provide "break the build" style scanning. Includes instructions on how to integrate this workflow into Jenkins.

• Flowdock (Brian1917) - Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.

• PowerShell (Unregistered436) - PowerShell script for pushing binaries to Veracode using Java API.

• Slack (Ctcampbell) - AWS Lambda commands that provide the ability to access Veracode application and build information from Slack.

• SonarQube (Buzzcode) - Unofficial Veracode plugin for SonarQube.

• Veracode QuickScan (relaxnow) - PHP example of how to connect to the APIs, scan a couple of files and get results.

• veracode-tools (Ctcampbell) - Docker image with all Veracode tools pre-installed.

• Veracode Upload and Scan Shell Script (Christyson) - A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.

Pipeline Scan projects

• Pipeline2DetailedReport (JPhillips-vc) - translate Veracode Pipeline Scan results into DetailedReport XML format, allowing you to import them into an IDE plugin for remediation.

Results collection and display

• Excel (XLS), (XLSX) (Komiblanka)- Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.

• Hygieia (Mickfeech) - Veracode scan collector and parser for the Hygieia dashboard.

• JupiterOne (JupiterOne) - A JupiterOne managed integration for Veracode.

• JupiterOne Graph Veracode (JupiterOne) - A graph conversion tool for Veracode.

• SCA Extractor (Brian1917) - Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.

• Stats (Ctcampbell) - Summary statistics for a Veracode account on the command line.

• VeraData (Seb Coles) - Console application that will retrieve data (all scans, flaws, mitigations etc) for a given AppId and store the results in a relational schema (only supports MSSQL Server currently) ready for plugging your favourite BI tool into!

• VeraCustomTriage (Seb Coles) - App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.

• Veracode Report Converter (CSV) (Dipsylala) - .NET Framework utility to extract useful data from Detailed Report XML file into CSV format

• Veracode Report Converter - Portable (CSV) (Dipsylala) - .NET Core utility to extract useful data from Detailed Report XML file into CSV format

• veracode-to-csv (Ctcampbell) - This script outputs one CSV file per scan per application profile visible in a Veracode platform account. The output can be imported into Splunk for further analysis.

Application vulnerability correlation

• DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application. DefectDojo supports importing Veracode results.

• Veracode Archer - Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.

HMAC Signing libraries

Projects in this category implement HMAC digest signing, which is required to use Veracode APIs that use a Veracode ID and Key. Also see the Postman and Insomnia examples in API Testing Tools.

• auth.js - Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library

• PythonHMAC - simple example of usage of the Veracode API signing library provided in the Veracode Help Center

• NodeJS - NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

• vcodeHMAC (Brian1917) - Go package that creates an authorization header using Veracode API Key and ID.

• vcodeHMAC-CLI (Brian1917) - CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.

• veracode-go-hmac-authentication (antfie) - A simple Go package that follows the format of the existing HMAC Authentication Examples found in the Veracode Help Center.

• Veracode_HMAC_Auth (rafaelzm2000) - A PowerShell example for doing HMAC authentication to the Veracode APIs.

• Using curl and openssl to access the Veracode API endpoint (m9aertner) - short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

API wrappers

• .NET Core Nuget Package Wrapper (Seb Coles) - C# NuGet package that wraps XML APIs

• Go wrapper (Brian1917) - Wrapper written in Go for easy use of Veracode APIs

• node-veracode-api-client (M4l1c3) - Node.js API client.

• veracode-api (Ruby) (Mort666) - Ruby Wrapper for the Veracode API.

• veracode-api-clients (Jourzero) - Client code using the Veracode REST and XML APIs. Includes handlers for Veracode Dynamic Analysis scanning.

• veracode-python (Chuckorde) - A python wrapper for communicating with the Veracode APIs.

• veracode-api-py (Tjarrettveracode) - Python helper library for working with the Veracode APIs. Handles retries, pagination, and other features of the modern Veracode REST APIs.

Other integrations

• Bash shell (Aparsons) - Bash script for scanning a directory of code with the Veracode platform.

• F5 WAF (Julz0815) - Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.

• verapi (Fsclyde) - Lambda function for automating Veracode static scans

• veracode-api (Node) (Kinichahau87) - Node.js package for automating Veracode scanning from the command line.

• Veracode-cli (Adidas) - Automated way to check application status and DevSecops compliance.

• Veracode Notifier (Ctcampbell) - Lambda function that sends a message to a web hook, for instance for use with Slack

• VeraHooks Mitigation Webhooks (Seb Coles) - React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.

Secure coding examples

• Secure cryptography examples for Java (1MansiS) - Code samples showing how to use the Java Crypto API securely. Accompanying code for the Java Crypto blog series.

Insecure applications

• VeraDemo (Jtsmith2020) - Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.

• NodeGoat (Buzzcode) - NodeGoat, built w/CircleCI, showing how to use a yaml file to scan w/Veracode.