Skip to content

Latest commit

 

History

History
384 lines (207 loc) · 39.5 KB

README.md

File metadata and controls

384 lines (207 loc) · 39.5 KB

Veracode Community Open Source Projects

A collection of useful open source projects that integrate with the Veracode APIs to automate scanning, results retrieval and other tasks.

These projects are community contributed and not supported by Veracode. For a list of supported projects, please see the listing of projects on Veracode.com.

Contents

Automating common Veracode Platform tasks

Application Profile maintenance

Mitigations

  • VcodeAutoMitigate (Brian1917) - Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.

  • VcodeMitigationExpire (Brian1917) - Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.

  • Veracode Mitigation Copier (Tjarrettveracode) - Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.

  • Veracode SAST Bulk Mitigator (antfie) - This tool performs bulk mitigation actions on open SAST flaws reported in multiple application profiles. The definitions of what to mitigate (e.g. file name, line number) and the mitigation comments and actions to apply are defined via a JSON file. Application profile names to target are specified via a text file or alternatively a flag can be set to process all application profiles.

Sandboxes

Scan status

  • Check Build Status (Christyson) - Script to check if an application profile in Veracode has a build running currently. It also provides an option to delete the build if there is one running.

  • Check Pass Fail (Christyson) - A simple example script to check pass/fail status of a Veracode app profile (or sandbox) or for a list of app profiles with out sandboxes.

  • Veracode Break the Build by Severity (Christyson) - This project contains three python scripts useful for working with Veracode projects in a build pipeline to break the build if any findings of a given severity or higher are found.

  • Veracode Scan Counts (Tjarrettveracode) - Identify Veracode application profiles with one or more static scans in an incomplete state.

Other tasks

Developer tools

Auto Packagers (for SAST)

Note: Veracode recommends using the auto-packaging capability in the Veracode CLI (veracode package). These scripts are provided for reference only.

CI/CD

  • Bamboo (Buzzcode) - full featured Bamboo plugin including configuration UI, wait for scan to complete, and "break the build" functionality

  • Bamboo-Jira (Buildcom) - provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues (archived project)

  • Bash-CircleCI (Unregistered436) - Veracode Upload and Scan Bash Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.

  • Bitrise-step-veracode-scan (Psoladoye-geotab) - add Veracode scanning to Bitrise CI.

  • CircleCI (ctcircleci) - Example configurations for building a project with Maven, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

  • CircleCI (buzzcode) - Example configuration for zipping a project, then executing policy scan, agent-based SCA, and pipeline scan in a CircleCI pipeline.

  • easy_sast - (docker container) - A docker container for use in CI pipelines which integrates with Veracode's static analysis tool.

  • Exemplos Veracode (Ivo Dias) - In this repository you will find several examples for Veracode implementations created by the M3Corp team. In the Pipelines folder you can find how to implement in the most diverse CI/CD tools, such as Azure, GitLab, GitHub Actions and Jenkins. Other implementation examples such as running in a terminal and translating the results are also available. We normally publish in Portuguese, but the examples are completely understandable in other languages

  • Jenkins (Jenkins Shell) (Ian C Leonard) - unofficial Veracode shell integration for Jenkins Freestyle projects.

  • veracode-badges (Lerer) - produces badges for READMEs and other artifact repositories showing the status of Veracode policy scans.

  • Veracode Community SAST Azure DevOps Extension (MetLife) - Seamlessly integrate Veracode SAST scans with Azure DevOps build pipelines (using Pipeline Scan).

  • veracode-scripts (aszaryk) - Various example scripts for Jenkins and GitLab pipelines, including both static and dynamic examples.

  • veracode-serverless-webhooks (Lerer) - enables Veracode customers who want to use the Veracode Upload-and-Scan Static and SCA (not the Pipeline or the IDE scans) and get updates back in an asynchronous manner.

  • Verademo (christyson) - custom fork of Verademo, featuring sample pipeline configurations for Bitbucket, Jenkins and Azure Pipelines.

  • XebiaLabs Release Veracode Plugin (XebiaLabs-Community) - XL Release for Veracode test automation.

  • veracode-yml-sample-pipelines (Victor-secops) - example YML files for Azure DevOps, Jenkins, GitLab, CircleCI. Pipelines include Veracode SCA Agent scans, Veracode Static Analysis policy and pipeline scans.

  • veracode-aws-documentation (Clintpollock) - How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.

  • veracode-examples (Brandon Samuel) - This repository contains veracode examples in the form of use cases that can be run in end-user environments. Kubernetes. AWS CodePipeline. CircleCi to GCP Functions. Multi-tiered application leveraging various languages.

Azure DevOps

GitHub

  • Veracode Application Sandboxes Helper (Lerer) - An Action to handle Sandboxes mainly as a set of clean-up activities such as: deleting a sandbox and promoting Sandbox scan to Policy Scan with or without deleting the sandbox

Build tools

  • Gradle (CalgaryScientific, based on Kctang) - Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.

  • Sbt-veracode (Sullis) - sbt plugin for Veracode.

IDEs

  • VSCode-Veracode (Buzzcode) - a plugin for Visual Studio Code that enables integration with Veracode Static Analysis. Currently, this only supports flaw download, but will be enhanced to support upload as well in the future.

  • vsccode-veracode-sca (Lerer) - A very simple plugin for Veracode SCA to get agent-base SCA results into VSCode IDE.

  • Veracode Unified Plugin Unofficial Version (Lerer) - VSCode plugin which integrate with the Veracode platform and enables downloading of scan results (findings) for both Static and SCA (Upload-and-Scan), run pipeline scan, and submit mitigations Link to the plugin in VSCode marketplace

  • Jetbrains family plugin (GeraldTanCL) - Compliments Veracode's official IntelliJ IDE integration with support for other Jetbrains IDE products. It enables you to download the SAST result from Veracode Platform into your Jetbrains IDE.

API testing tools

Other

  • Ansible (Telus Digital) - allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel

  • Flowdock (Brian1917) - Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.

  • PowerShell (Unregistered436) - PowerShell script for pushing binaries to Veracode using Java API.

  • SonarQube (Buzzcode) - Unofficial Veracode plugin for SonarQube.

  • Veracode QuickScan (relaxnow) - PHP example of how to connect to the APIs, scan a couple of files and get results.

  • Veracode Upload and Scan Shell Script (Christyson) - A shell script to upload and scan a application (zip or war etc.) and create the application if necessary. Uses Curl and hmac headers.

Pipeline Scan

Dynamic Analysis

Software Composition Analysis

SBOM

Results collection and display

User provisioning, management and deprovisioning

Application vulnerability correlation

  • DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application. DefectDojo supports importing Veracode results.

  • Veracode Archer (Veracode) - Script to export a Veracode Archer report file to disk. Usage: set on a timer and run daily or weekly, then import the results into RSA Archer.

HMAC Signing libraries

  • auth.js (undefined) - Veracode custom HMAC request signing algorithm (used for API authorization), written in JavaScript -- uses Web Crypto API instead of the Node Crypto library

  • PythonHMAC (Veracode) - simple example of usage of the Veracode API signing library provided in the Veracode Help Center

  • NodeJS (undefined) - NodeJS lib, written in JavaScript, to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist

  • vcodeHMAC (Brian1917) - Go package that creates an authorization header using Veracode API Key and ID.

  • vcodeHMAC-CLI (Brian1917) - CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.

  • veracode-go-hmac-authentication (antfie) - A simple Go package that follows the format of the existing HMAC Authentication Examples found in the Veracode Help Center.

  • Veracode_HMAC_Auth (rafaelzm2000) - A PowerShell example for doing HMAC authentication to the Veracode APIs.

  • Using curl and openssl to access the Veracode API endpoint (m9aertner) - short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.

API wrappers

Other integrations

  • Bash shell (Aparsons) - Bash script for scanning a directory of code with the Veracode platform.

  • F5 WAF (Julz0815) - Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.

  • verapi (Fsclyde) - Lambda function for automating Veracode static scans

  • veracode-api (Node) (Kinichahau87) - Node.js package for automating Veracode scanning from the command line.

  • Veracode-cli (Adidas) - Automated way to check application status and DevSecops compliance.

  • VeraHooks Mitigation Webhooks (Seb Coles) - React .NET Core solution for creating custom webhooks that watch application profiles and trigger when mitigations meet specified conditions.

Secure coding examples

Insecure applications

  • VeraDemo (Jtsmith2020) - Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.

  • VeraDemoAPI (Veracode) - Sample insecure application written in Javascript, showing vulnerabilities in realistic Javascript code.

  • VeraDemoJava (Veracode) - Sample insecure application written in Java, showing vulnerabilities in realistic Java code.

  • VeraDemoDocker (Veracode) - Bringing the 2 demo apps above VeraDemoJave and VeraDemoAPI together and start them within a docker environment. You will get a Java Web Application, a JavaScript node express API. a MySQL database and a vulnerable container.

  • NodeGoat (Buzzcode) - NodeGoat, built w/CircleCI, showing how to use a yaml file to scan w/Veracode.

Automating Security Labs tasks