Veracode
Veracode is a comprehensive AppSec platform providing SAST, DAST, SCA, and container scanning capabilities for secure software development.
Installation
CLI Setup (Veracode Greenlight)
# Download Greenlight scanner
curl -O https://downloads.veracode.com/securityscan/GL/latest/mac/VeracodeGreenlight.zip
unzip VeracodeGreenlight.zip
chmod +x greenlight
# Linux installation
wget https://downloads.veracode.com/securityscan/GL/latest/linux/VeracodeGreenlight.tgz
tar -xzf VeracodeGreenlight.tgz
chmod +x greenlightContainer Scanning
# Pull Veracode container scanner
docker pull registry.veracode.com/veracode/greenlight:latest
# Scan image
docker run --rm \
-e VERACODE_API_ID="$VERACODE_API_ID" \
-e VERACODE_API_KEY="$VERACODE_API_KEY" \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.veracode.com/veracode/greenlight:latest \
--image myapp:latestAuthentication
API Credentials
# Set environment variables
export VERACODE_API_ID="your_api_id"
export VERACODE_API_KEY="your_api_key"
# Or create credentials file
mkdir -p ~/.veracode
cat > ~/.veracode/credentials << EOF
veracode_api_id = your_api_id
veracode_api_key = your_api_key
EOF
# Verify credentials
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
"https://api.veracode.com/apigw/v1/organizations" | jq '.organizations'Static Analysis (SAST)
Upload for Scanning
# Upload application file for scan
veracode_api_wrapper.py \
--action uploadfile \
--appid "APP_ID" \
--filepath target/myapp.jar
# Upload with multiple artifacts
for jar in dist/*.jar; do
veracode_api_wrapper.py \
--action uploadfile \
--appid "APP_ID" \
--filepath "$jar"
done
# Scan immediately after upload
veracode_api_wrapper.py \
--action beginprescan \
--appid "APP_ID"Scan Configuration
# Create sandbox for feature branch testing
veracode_api_wrapper.py \
--action createsandbox \
--appid "APP_ID" \
--sandboxname "feature-branch"
# Upload to sandbox
veracode_api_wrapper.py \
--action uploadfile \
--appid "APP_ID" \
--sandboxid "SANDBOX_ID" \
--filepath myapp.jarMonitor Scan Status
# Check prescan status
veracode_api_wrapper.py \
--action getprescanresults \
--appid "APP_ID"
# Get scan results (when complete)
veracode_api_wrapper.py \
--action getdetailedreport \
--appid "APP_ID" \
--format json > scan-results.json
# List flaws by severity
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
"https://api.veracode.com/apigw/v1/applications/APP_ID/findings?severity=high" | jq '.findings[]'Dynamic Analysis (DAST)
Configure Analysis
# Create DAST scan
curl -X POST \
-u "$VERACODE_API_ID:$VERACODE_API_KEY" \
-H "Content-Type: application/json" \
https://api.veracode.com/dast/v1/scans \
-d '{
"target_url": "https://staging.example.com",
"scan_name": "Staging Scan",
"scanned_resource_type": "WEBSITE"
}' | jq '.scan_id'
# Set scan scope
curl -X POST \
-u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/dast/v1/scans/SCAN_ID/scope \
-d '{
"include_url_patterns": [
"https://staging.example.com/*"
],
"exclude_url_patterns": [
"https://staging.example.com/logout"
]
}'Run DAST Scan
# Start scan
curl -X POST \
-u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/dast/v1/scans/SCAN_ID/submit
# Monitor progress
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/dast/v1/scans/SCAN_ID | jq '.status'
# Get DAST findings
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/dast/v1/scans/SCAN_ID/findings | jq '.findings[]'Software Composition Analysis (SCA)
Agent-Based Scanning
# Download Agent
curl -O https://downloads.veracode.com/securityscan/sca-agent/latest/agent.zip
unzip agent.zip
java -jar agent.jar --help
# Scan project
java -jar agent.jar \
--url https://api.veracode.com \
--token_url https://api.veracode.com/token \
--api_id "$VERACODE_API_ID" \
--api_key "$VERACODE_API_KEY" \
--src /path/to/projectIDE Integration (VS Code)
# Install Veracode extension
code --install-extension veracode.veracode-sca
# Configure API key in VS Code settings.json
{
"veracode.apiId": "your_api_id",
"veracode.apiKey": "your_api_key"
}
# Scan from editor - right-click project, select "Scan with Veracode"Results
# Get SCA vulnerabilities
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
"https://api.veracode.com/apigw/v1/organizations/ORG_ID/sca/findings" | jq '.findings[]'
# Suppress false positives
curl -X PATCH \
-u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/apigw/v1/organizations/ORG_ID/sca/findings/FINDING_ID \
-d '{"suppression_reason": "NOT_APPLICABLE"}'Container/Image Scanning
Greenlight for Containers
# Scan Docker image
./greenlight \
--image myapp:v1.0 \
--dockerfile ./Dockerfile \
--policy "Veracode Recommended"
# Scan with registry
./greenlight \
--registry-username username \
--registry-password password \
--image registry.example.com/myapp:latest
# CI/CD integration
greenlight \
--image $CI_COMMIT_SHA \
--json-report results.jsonCI/CD Pipeline Integration
GitHub Actions
name: Veracode
on: [push, pull_request]
jobs:
veracode-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: mvn clean package
- name: Veracode SAST
uses: veracode/veracode-uploadandscan-action@master
with:
appname: '${{ github.repository }}'
createprofile: true
filepath: 'target/myapp.jar'
vid: '${{ secrets.VERACODE_API_ID }}'
vkey: '${{ secrets.VERACODE_API_KEY }}'
- name: SCA Scan
uses: veracode/veracode-sca-action@master
with:
api_id: ${{ secrets.VERACODE_API_ID }}
api_key: ${{ secrets.VERACODE_API_KEY }}GitLab CI
veracode_sast:
stage: security
script:
- java -jar agent.jar \
--url https://api.veracode.com \
--api_id $VERACODE_API_ID \
--api_key $VERACODE_API_KEY \
--src .
artifacts:
reports:
container_scanning: results.jsonJenkins
stage('Veracode SAST') {
steps {
script {
sh '''
curl -O https://downloads.veracode.com/securityscan/API/VeracodeJavaAPI.zip
unzip VeracodeJavaAPI.zip
java -jar VeracodeJavaAPI.jar \
-action uploadandscan \
-appid ${VERACODE_APP_ID} \
-createprofile true \
-filepath ${WORKSPACE}/build/app.jar
'''
}
}
}Policy Management
Scan Policies
# Get available policies
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/apigw/v1/policies | jq '.policies[]'
# Assign policy to app
curl -X PUT \
-u "$VERACODE_API_ID:$VERACODE_API_KEY" \
-H "Content-Type: application/json" \
https://api.veracode.com/apigw/v1/applications/APP_ID \
-d '{"policy_guid": "POLICY_GUID"}'Compliance Standards
# Generate compliance report
veracode_api_wrapper.py \
--action getcompliancesummary \
--appid "APP_ID" \
--format json > compliance.json
# Check against standards (PCI, HIPAA, OWASP)
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
"https://api.veracode.com/apigw/v1/applications/APP_ID/compliance" | jq '.standards'Result Reporting
Export Results
# JSON export
veracode_api_wrapper.py \
--action getdetailedreport \
--appid "APP_ID" \
--format json > report.json
# XML export (legacy format)
veracode_api_wrapper.py \
--action getdetailedreport \
--appid "APP_ID" \
--format xml > report.xml
# CSV for spreadsheet
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
"https://api.veracode.com/apigw/v1/applications/APP_ID/findings?format=csv" \
> findings.csvMetrics & Trends
# Get fix rate (vulnerability remediation)
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/apigw/v1/applications/APP_ID/fix-rate-metrics
# Security posture timeline
curl -u "$VERACODE_API_ID:$VERACODE_API_KEY" \
https://api.veracode.com/apigw/v1/applications/APP_ID/findings/summary-by-dateBest Practices
- Run SAST on every build, DAST on staging weekly
- Enforce policy: fail builds with critical flaws
- Enable SCA to track open source component risks
- Suppress false positives with documented reasons
- Generate reports for PCI/SOC2 compliance
- Integrate with issue tracking (Jira) for remediation
- Set up notifications for new high/critical findings
- Periodically update scanning engine for new CVE coverage
- Use the Veracode Flaw Source Code Connector to view code