Veracode Community Open Source Projects

A collection of useful open source projects that integrate with the Veracode APIs to automate scanning, results retrieval and other tasks.

These projects are community contributed and not supported by Veracode. For a list of supported projects, please see the listing of projects on Veracode.com.

Contents

• Automating common Veracode Platform tasks
• Developer tools
  • Auto Packagers (for SAST)
  • CI/CD
    • Azure DevOps
    • GitHub
  • Build tools
  • IDEs
  • API testing tools
  • Other
• Pipeline Scan projects
• Dynamic Analysis projects
• SCA related Projects
• Results collection and display
• User provisioning, management and deprovisioning
• Application vulnerability correlation
• HMAC Signing libraries
• API wrappers
• Other integrations
• Secure coding examples
• Insecure applications
• Automating Security Labs tasks

Automating common Veracode Platform tasks

• Veracode_Delete_Sandbox (Christyson) - A simple example script to delete a Sandbox if it exists in a Veracode application profile and you have the appropriate permissions.

• Bulk add teams to workspaces (cadonuno) - Allows for adding teams to workspaces in bulk.

• Veracode Application Profile Splitting Helper (cadonuno) - This script is a helper for splitting application profiles. This is usually recommended when working with microservices to ensure that all of them can be scanned individually.

• Veracode Bulk Application Creator (cadonuno) - This script allows for bulk importing application profiles into the Veracode platform.

• Veracode Bulk Application Update (cadonuno) - This script allows for bulk updating application profiles in the Veracode platform.

• Veracode Bulk User Creator and Editor (cadonuno) - This script allows for bulk modifying and/or creating users in Veracode.

• Check Build Status (Christyson) - Script to check if an application profile in Veracode has a build running currently. It also provides an option to delete the build if there is one running.

• Check Pass Fail (Christyson) - A simple example script to check pass/fail status of a Veracode app profile (or sandbox) or for a list of app profiles with out sandboxes.

• VcodeAutoMitigate (Brian1917) - Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

• VcodeMitigationExpire (Brian1917) - Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.

• Veracode Break the Build by Severity (Christyson) - This project contains three python scripts useful for working with Veracode projects in a build pipeline to break the build if any findings of a given severity or higher are found.

• Veracode Create List of Sandboxes (cadonuno) - This plugin creates a list of sandboxes in all available application profiles.

• Veracode Get All SBOMs (cadonuno) - Allows for bulk generation of SBOM json files. It works for both US and EU instances and has support for Upload and Scan and Agent-based scan.

• Veracode Get Single SBOM (cadonuno) - Gets the SBOM for a single Application Profile or Workspace/Project pair.

• Veracode Mitigation Copier (Tjarrettveracode) - Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

• Veracode SAST Bulk Mitigator (antfie) - This tool performs bulk mitigation actions on open SAST flaws reported in multiple application profiles. The definitions of what to mitigate (e.g. file name, line number) and the mitigation comments and actions to apply are defined via a JSON file. Application profile names to target are specified via a text file or alternatively a flag can be set to process all application profiles.

• Veracode PDF Reports (Jphillips-vc) - Pulls latest PDF reports from Veracode for recent Static and Dynamic scans.

• Veracode Policy Examples (Tjarrettveracode) - A collection of example application security "policies as code" that can be added to your Veracode organization account.

• Veracode Promote Named Sandbox (cadonuno) - This will promote the latest scan of a named sandbox.

• Veracode Scan Counts (Tjarrettveracode) - Identify Veracode application profiles with one or more static scans in an incomplete state.

• Veracode Workspace Auto Create (Tjarrettveracode) - Uses the Veracode Agent Based Scan API and other Veracode REST APIs to automatically create a workspace for application profiles in a Veracode organization.

• Veracode Delete Sandboxes via Threshold (Julz0815) - Java Script that will automatically delete Sandboxes from a profile via a configured threshold and the number of Sandboxes to be deleted.

Developer tools

Auto Packagers (for SAST)

• JavaScript Auto Packager (dub-flow) - CLI tool to automatically package a JavaScript application for Veracode Static Analysis

• Go Auto Packager (relaxnow) - CLI tool to automatically package a Golang application for Veracode Static Analysis

• .NET Auto Packager (nhinv11) - CLI tool to automatically package a .NET application for Veracode Static Analysis

CI/CD

• Bamboo (Buzzcode) - full featured Bamboo plugin including configuration UI, wait for scan to complete, and "break the build" functionality

• Bamboo-Jira (Buildcom) - provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)

• Bash-CircleCI (Unregistered436) - Veracode Upload and Scan Bash Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.

• Bitrise-step-veracode-scan (Psoladoye-geotab) - add Veracode scanning to Bitrise CI.

• CircleCI (ctcircleci) - Example configurations for building a project with Maven, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

• CircleCI (buzzcode) - Example configuration for zipping a project, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

• easy_sast - (docker container) - A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.

• Exemplos Veracode (Ivo Dias) - In this repository you will find several examples for Veracode implementations created by the M3Corp team. In the Pipelines folder you can find how to implement in the most diverse CI/CD tools, such as Azure, GitLab, GitHub Actions and Jenkins. Other implementation examples such as running in a terminal and translating the results are also available. We normally publish in Portuguese, but the examples are completely understandable in other languages

• Jenkins (Jenkins Shell) (Ian C Leonard) - unofficial Veracode shell integration for Jenkins Freestyle projects.

• veracode-badges (Lerer) - produces badges for READMEs and other artifact repositories showing the status of Veracode policy scans.

• Veracode Community SAST Azure DevOps Extension (MetLife) - Seamlessly integrate Veracode SAST scans with Azure DevOps build pipelines (using Pipeline Scan).

• veracode-scripts (aszaryk) - Various example scripts for Jenkins and GitLab pipelines, including both static and dynamic examples.

• veracode-serverless-webhooks (Lerer) - enables Veracode customers who want to use the Veracode Upload-and-Scan Static and SCA (not the Pipeline or the IDE scans) and get updates back in an asynchronous manner.

• Verademo (christyson) - custom fork of Verademo, featuring sample pipeline configurations for Bitbucket, Jenkins and Azure Pipelines.

• XebiaLabs Release Veracode Plugin (XebiaLabs-Community) - XL Release for Veracode test automation.

• veracode-yml-sample-pipelines (Victor-secops) - example YML files for Azure DevOps, Jenkins, GitLab, CircleCI. Pipelines include Veracode SCA Agent scans, Veracode Static Analysis policy and pipeline scans.

• veracode-aws-documentation (Clintpollock) - How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.

• veracode-examples (Brandon Samuel) - This repository contains veracode examples in the form of use cases that can be run in end-user environments. Kubernetes. AWS CodePipeline. CircleCi to GCP Functions. Multi-tiered application leveraging various languages.

Azure DevOps

• Veracode Azure YML Samples (Clintpollock) - Samples of Azure YML files that work with Veracode scanning

• Veracode Community SCA Azure DevOps Extension (MetLife) - Seamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines.

• Veracode Dynamic Analysis Azure Sample (Jphillips-vc) - Veracode Dynamic Analysis Azure Sample including script based authentication, and ISM configuration.

• Veracode Examples in Portuguese - Various examples and documents about how to use and integrate Veracode in multiples scenarios (Azure DevOps, Jenkins, Github Actions, Linux, Windows...) in Portuguese.

• Veracode Flaw Importer (Julz0815) - GitHub Action to import static policy findings to GitHub Security Code Scanning Alerts.

• Veracode Flaw Importer Postprocessing (cadonuno) - Plugin made to run after the regular import to update the work items with an assigned user and a linked Work Item.

• Veracode for Azure DevOps Pipelines (zoekdestep) - Yaml files to get started with Veracode on Azure DevOps. Accompanies this blog post.

• Azure DevOps Pipeline-Scan plugin (Julz0815) - This plugin should make it easier to run the Veracode pipeline scan on Azure DevOps pipelines. The full scan jar is included within the plugin and don't need to be downloaded each time when the pipeline runs. In addition it will populate an additional tab on your pipeline run to display results in a more convinient way. The plugin will automatically update itself every night if a new version of the piepline scan jar is published.

• SCA Findings to Work Items (Cadonuno) - Saves new Veracode SCA findings as Azure DevOps Work Items.

• Azure DevOps promote scan (dmedeiros-veracode) - This repository contains Azure DevOps scripts that can be referenced and used for integration with Veracode Analysis tools.

GitHub

• Veracode Application Sandboxes Helper (Lerer) - An Action to handle Sandboxes mainly as a set of clean-up activities such as: deleting a sandbox and promoting Sandbox scan to Policy Scan with or without deleting the sandbox

Build tools

• Gradle (CalgaryScientific, based on Kctang) - Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.

• Sbt-veracode (Sullis) - sbt plugin for Veracode.

IDEs

• VSCode-Veracode (Buzzcode) - a plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.

• vsccode-veracode-sca (Lerer) - A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.

• Veracode Unified Plugin Unofficial Version (Lerer) - VSCode plugin which integrate with the Veracode platform and enables downloading of scan results (findings) for both Static and SCA (Upload-and-Scan), run pipeline scan, and submit mitigations Link to the plugin in VSCode marketplace

• Jetbrains family plugin (GeraldTanCL) - Compliments Veracode's official IntelliJ IDE integration with support for other Jetbrains IDE products. It enables you to download the SAST result from Veracode Platform into your Jetbrains IDE.

API testing tools

• Insomnia (Veracode) - Adds an HMAC authentication header to Veracode API requests in Insomnia.

• Veracode-Postman (Veracode) - Pre-request authentication script and instructions for accessing Veracode APIs from Postman.

• Veracode-API-HMAC-Rapid-Api-Extension (Literallyjustroy) - An extension for the RapidAPI (Paw) REST Client to authenticate into the Veracode REST APIs using HMAC.

Other

• Ansible (Telus Digital) - allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel

• Flowdock (Brian1917) - Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.

• PowerShell (Unregistered436) - PowerShell script for pushing binaries to Veracode using Java API.

• SonarQube (Buzzcode) - Unofficial Veracode plugin for SonarQube.

• Veracode QuickScan (relaxnow) - PHP example of how to connect to the APIs, scan a couple of files and get results.

• Veracode Upload and Scan Shell Script (Christyson) - A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.

Pipeline Scan projects

• Pipeline2DetailedReport (JPhillips-vc) - translate Veracode Pipeline Scan results into DetailedReport XML format, allowing you to import them into an IDE plugin for remediation.

• pipeline2html (Victor-secops) - run a Veracode Pipeline Scan and generate a human-readable .HTML file from the Veracode pipeline verification results.json file.

• Pipeline2JUnitXml (cadonuno) - reads the JSON output of a Veracode Pipeline Scan and converts it into a standard JUnit test results XML file.

• PipelineResultsCompare (cadonuno) - checks if there are any issues present on a pipeline results file that aren't present on another, supporting filtering by severity.

• veracode-pipeline-PR-comment (Lerer) - Sends output of Pipeline Scan to a comment on a pull request.

• veracode-pipeline-with-baseline (Runkalicious) - GitHub Action to perform a Veracode Pipeline Scan and, optionally, compare the results against a set of baseline results.

Dynamic Analysis projects

• veracode-da-reset-scheduler (dennismedeiros) - Resets all recurrent scheduled analysis jobs configured for one year that have expired.

• Veracode Dynamic Analysis Examples (anon-veracoder) - Dynamic Analysis API Examples. Currently includes example code for using the Scanner Variables feature, where credentials can be defined and updated at the account level, and referenced in Selenium login scripts.

• Veracode DAST Add bulk urls to blocklist (aabutler) - Adds a list of urls to the blocklist for an existing DAST scan.

SCA related projects

• Veracode-Get-EPSS-Info (cadonuno) - Gets all the SCA findings available to the user, including EPSS scores and percentiles.

• Veracode-SCA-Webhook-Redirect (cadonuno) - This Project exposes a Tomcat server that can redirect Veracode Agent-based SCA web hooks to Teams and Slack.

• yarn-v2-workspaces-helper (Julz0815) - Creates yarn.lock files for each workspace to make the whole project scannable with Veracode's SCA solution. this is specifically for yarn version 2 and lower

• yarn-v3-workspaces-helper (Julz0815) - Creates yarn.lock files for each workspace to make the whole project scannable with Veracode's SCA solution. this is specifically for yarn version 3 and higher

• veracode-bulk-cve-suppression (aszaryk) - Allows for bulk suppression of specific CVE across full application portfolio

Results collection and display

• Collections Report PDF, CSV, JSON (tjarrettveracode) - Python script to retrive Collection results and output to PDF, CSV and/or JSON format.

• Excel (XLS) (Komiblanka) - Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.

• (XLSX) (Komiblanka) - Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.

• Generate License Notice file (Dave Ferguson) - Python script that creates a License Notice file (sometimes called an Attribution Report) for an application that has been scanned by Veracode SCA.

• Generate SBOM with Python (Chris Tyson) - Python script to generate a Software Bill of Materials (SBOM) for an application in either CycloneDX or SPDX format.

• Generate SBOM with Powershell (Chris Tyson) - Powershell script to generate a Software Bill of Materials (SBOM) for an application in either CycloneDX or SPDX format.

• Hygieia (Mickfeech) - Veracode scan collector and parser for the Hygieia dashboard.

• JupiterOne Graph Veracode (JupiterOne) - A graph conversion tool for Veracode.

• SCA Extractor (Brian1917) - Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.

• Veracode Container Scan results to HTML (cadonuno) - Converts the JSON output of a Veracode container scan into HTML.

• Veracode Scan Compare (antfie) - Use this tool to compare two Veracode Static Analysis (SAST) scans to understand why they are different.

• Veracode Scan Health (antfie) - Produces a SAST scan health report with guidance on changes to make in order to improve the packaging and module selection to achieve greater flaw accuracy.

• VeraData (Seb Coles) - Console application that will retrieve data (all scans, flaws, mitigations etc) for a given AppId and store the results in a relational schema (only supports MSSQL Server currently) ready for plugging your favourite BI tool into!

• VeraCustomTriage (Seb Coles) - App that generates a .xlsx remediation plan from a set of scan results augmented with text from JSON configuration files. Custom text is added when flaw criteria is met (such as a CWE ID, module name, file or line number). This allows custom text such as internal workflows, wiki links, training, code snippets, 2nd party information or other languages into the auto generated remediation plan. Enables app sec teams to triage large volumes of flaws quickly whilst sharing a core advice repository in code.

• Veracode Report Converter (CSV) (Dipsylala) - .NET Framework utility to extract useful data from Detailed Report XML file into CSV format

• Veracode Report Converter Portable (CSV) (Dipsylala) - .NET Core utility to extract useful data from Detailed Report XML file into CSV format

• Veracode Bulk Reporting API Import (Cadonuno) - Retrieves all the data available from the Veracode Reporting API from a specific start date

• Veracode Gitlab SCA results report and issue generation (julz0815) - Rewrites Veracode's Agent Based SCA json results in Gitlab readable report format in (orde)r to display results as dependency scanning on the pipeline run

• Veracode Gitlab static results report and issue generation (julz0815) - A little Java Script will download json results from a Veracode policy or sandbox scan into Gitlab readable report format in order display results as SAST results on the pipeline run and create Gitlab issues on the findings

• VCCLI (Michaelhorty) - Veracode AST and Security Labs utility in .NET Core.

• Veracode Container Security Display (Unofficial) (relaxnow) - Display, sort and filter Container Security JSON results.

• Veracode Verify Scan Results (cadonuno) - This script checks for the results of the latest scan for an application profile (and optionally a sandbox) and returns all the results that meet a minimum severity criteria. Can optionally consider SCA results and fail a build.

• TopDesk (Daniel-Marchi) - Integration with ITSM | CSC | ESM tool called TopDesk.

User provisioning, management and deprovisioning

• Azure AD SAML SSO Autocreating teams (Jtotzek) - Code and documentation on configuring Azure Active Directory to automatically create teams as part of the just-in-time provisioning workflow via SAML.

• Veracode API Credentials Expiry (Christyson) - A simple example to get the exiration dates of api credentials for your users.

• Veracode Get User List (Christyson) - Get a list of users with their attributes.

• Veracode Offboard (Tjarrettveracode) - Deactivates a provided list of users on the Veracode Platform.

• Veracode User Bulk Role Assign (Tjarrettveracode) - Uses the Veracode Identity API to add roles (Security Labs User, Greenlight IDE User, or eLearning) to existing users.

• Veracode UM Powershell Tool (IGD753) - A completed User management tool write in Powershell using the Veracode APIs. You can use to create, block, delete and update users, in Windows, Linux or Mac terminal. This a simplified and translated version from the original in Portuguese.

• Veracode UM Powershell Tool in Portuguese (IGD753) - A completed User management tool write in Powershell using the Veracode APIs. This version is completed in Portuguese, and you can use to create, block, delete and update users, in Windows, Linux or Mac terminal.

Application vulnerability correlation

• DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application. DefectDojo supports importing Veracode results.

• Veracode Archer (Veracode) - Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.

HMAC Signing libraries

• auth.js (undefined) - Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library

• PythonHMAC (Veracode) - simple example of usage of the Veracode API signing library provided in the Veracode Help Center

• NodeJS (undefined) - NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

• vcodeHMAC (Brian1917) - Go package that creates an authorization header using Veracode API Key and ID.

• vcodeHMAC-CLI (Brian1917) - CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.

• veracode-go-hmac-authentication (antfie) - A simple Go package that follows the format of the existing HMAC Authentication Examples found in the Veracode Help Center.

• Veracode_HMAC_Auth (rafaelzm2000) - A PowerShell example for doing HMAC authentication to the Veracode APIs.

• Using curl and openssl to access the Veracode API endpoint (m9aertner) - short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

API wrappers

• .NET Core Nuget Package Wrapper (Seb Coles) - C# NuGet package that wraps XML APIs

• Go wrapper (Brian1917) - Wrapper written in Go for easy use of Veracode APIs

• node-veracode-api-client (M4l1c3) - Node.js API client.

• veracode-api (Ruby) (Mort666) - Ruby Wrapper for the Veracode API.

• veracode-api-clients (Jourzero) - Client code using the Veracode REST and XML APIs. Includes handlers for Veracode Dynamic Analysis scanning.

• veracode-api-py (Tjarrettveracode) - Python helper library for working with the Veracode APIs. Handles retries, pagination, and other features of the modern Veracode REST APIs.

Other integrations

• Bash shell (Aparsons) - Bash script for scanning a directory of code with the Veracode platform.

• F5 WAF (Julz0815) - Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.

• verapi (Fsclyde) - Lambda function for automating Veracode static scans

• veracode-api (Node) (Kinichahau87) - Node.js package for automating Veracode scanning from the command line.

• Veracode-cli (Adidas) - Automated way to check application status and DevSecops compliance.

• VeraHooks Mitigation Webhooks (Seb Coles) - React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.

Secure coding examples

• Secure cryptography examples for Java (1MansiS) - Code samples showing how to use the Java Crypto API securely. Accompanying code for the Java Crypto blog series.

Insecure applications

• VeraDemo (Jtsmith2020) - Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.

• VeraDemoAPI (Veracode) - Sample insecure application written in Javascript, showing vulnerabilities in realistic Javascript code.

• VeraDemoJava (Veracode) - Sample insecure application written in Java, showing vulnerabilities in realistic Java code.

• VeraDemoDocker (Veracode) - Bringing the 2 demo apps above VeraDemoJave and VeraDemoAPI together and start them within a docker environment. You will get a Java Web Application, a JavaScript node express API. a MySQL database and a vulnerable container.

• NodeGoat (Buzzcode) - NodeGoat, built w/CircleCI, showing how to use a yaml file to scan w/Veracode.

Automating Security Labs tasks

• Security Labs Scripts (Dave Ferguson) - Python scripts to automate various administrative tasks in Veracode Security Labs.