A collection of useful open source projects that integrate with the CA Veracode APIs to automate scanning, results retrieval and other tasks.
These projects are community contributed and not supported by CA Veracode. For a list of supported projects, please see the listing of projects on Veracode.com.
-
VcodeAutoMitigate (Brian1917) - Command line app that mitigates flaws in Veracode based on CWE, scan type, and specific text in the description.
-
VcodeMitigationExpire (Brian1917) - Utility designed to be run on a regular cadence (e.g., weekly cron job) to expire mitigations. The types of mitigations, expiration references, and other settings are controlled in a JSON config file.
-
Veracode mitigation copier (Brian1917) - Copies mitigations from one Veracode profile to another if it's the same flaw based on the following flaw attributes: issueid, cweid, type, sourcefile, and line. The script will copy all proposed and accepted mitigations for the flaw. The script will skip a flaw in the copy_to build if it already has an accepted mitigation.
-
Veracode BCA Builder (Brian1917) - Shell script to generate the BCA package to scan an iOS app.
-
Ansible (Telus Digital) - allows uploading and scanning with Veracode from Ansible, with an option to send results to a Slack channel
-
Bamboo (Buzzcode) - full featured Bamboo plugin including configuration UI, wait for scan to complete, and "break the build" functionality
-
Bamboo/Jira (Buildcom) - provides a pair of simple plugins for upload and results handling from within Bamboo, and a lightweight script to create Jira issues
-
CircleCI (Unregistered436) - Veracode Upload and Scan Shell Script, originally written for CircleCI but can be used for any build system that can run a shell script in bash.
-
ConcourseCI, Gitlab, Travis (Ctcampbell) - Example configurations for integrating Veracode scanning in various continuous integration systems.
-
Dynamic Scan and Wait for Result (Christyson) - Extends the Java API Wrapper to provide "break the build" style scanning. Includes instructions on how to integrate this workflow into Jenkins.
-
Flowdock (Brian1917) - Utility designed to be run in a build process after a Veracode scan to notify a Flowdock flow that the scan completed. Optional to include policy compliance info in notification.
-
Gitlab (Ctcampbell) - An example configuration for Veracode integration with GitLab.
-
Gradle (Kctang) - Set of Gradle tasks, usable either as a command line submission tool or integrated as part of a continuous integration build process, to perform Veracode submission for applications and scan results for flaws.
-
Insomnia (Ctcampbell) - Adds an HMAC authentication header to Veracode API requests in Insomnia.
-
PowerShell (Unregistered436) - PowerShell script for pushing binaries to Veracode using Java API.
-
Slack (Ctcampbell) - AWS Lambda commands that provide the ability to access Veracode application and build information from Slack.
-
Veracode QuickScan (relaxnow) - PHP example of how to connect to the APIs, scan a couple of files and get results.
-
Excel (XLS), (XLSX) (Komiblanka)- Python scripts to format Veracode XML results into Excel workbook formats for easier human consumption.
-
go Veracode results (M4l1c3) - Go utility for processing Veracode results
-
Hygieia (Mickfeech) - Veracode scan collector and parser for the Hygieia dashboard.
-
SCA Extractor (Brian1917) - Creates a CSV file with open source vulnerability (SCA) findings for all builds in the input file.
-
Stats (Ctcampbell) - Summary statistics for a Veracode account on the command line.
-
Veracode Report Converter (CSV) (Dipsylala) - .NET Framework utility to extract useful data from Detailed Report XML file into CSV format
-
Veracode Report Converter - Portable (CSV) (Dipsylala) - .NET Core utility to extract useful data from Detailed Report XML file into CSV format
-
veracode-to-csv (Ctcampbell) - This script outputs one CSV file per scan per application profile visible in a Veracode platform account. The output can be imported into Splunk for further analysis.
- DefectDojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application. DefectDojo supports importing Veracode results.
Projects in this category implement HMAC digest signing, which is required to use Veracode APIs that use a Veracode ID and Key.
-
NodeJS - NodeJS lib to generate authorization header with Veracode API Key and ID. Sample usage in the comment of the gist
-
vcodeHMAC (Brian1917) - Go package that creates an authorization header using Veracode API Key and ID.
-
vcodeHMAC-CLI (Brian1917) - CLI tool to generate an authorization header for Veracode APIs using API ID and Key. Given an HTTP method and URL, and the location of your Veracode API credentials file, you will get the value of an Authorization header printed out for piping into curl, httpie, or other scripting uses.
-
Using curl and openssl to access the Veracode API endpoint (m9aertner) - short article illustrating use of built-in shell tools to handle HMAC signing and send API requests from the command line.
-
Bash shell (Aparsons) - Bash script for scanning a directory of code with the Veracode platform.
-
F5 WAF (Julz0815) - Transforms Veracode dynamic result files into the F5 generic scanner result format for import into the F5 web application firewall.
-
Go wrapper (Brian1917) - Wrapper written in Go for easy use of Veracode APIs
-
node-veracode-api-client (M4l1c3) - Node.js API client.
-
verapi (Fsclyde) - Lambda function for automating Veracode static scans
-
veracode-api (Node) (Kinichahau87) - Node.js package for automating Veracode scanning from the command line.
-
veracode-api (Ruby) (Mort666) - Ruby Wrapper for the Veracode API.
-
Veracode Notifier (Ctcampbell) - Lambda function that sends a message to a web hook, for instance for use with Slack
- Secure cryptography examples for Java (1MansiS) - Code samples showing how to use the Java Crypto API securely. Accompanying code for the Java Crypto blog series.
- VeraDemo (Jtsmith2020) - Sample insecure application written in Java and Javascript, showing vulnerabilities in realistic Java code.