Skip to main content

GitHub

You can use Veracode for GitHub to integrate Veracode Static Analysis with GitHub Actions. This integration enables you to automate scanning of your application code from within GitHub.

Veracode provides these preconfigured GitHub Actions in the GitHub Marketplace:

  • Veracode Upload and Scan: use the Veracode Java API wrapper to perform an upload and scan of your application code in your GitHub project. You can view the scan results in the Veracode Platform. To configure this action, edit the settings in the provided action.yml file.

  • Veracode Workflow App: allows you to set up an automated security scanning program for all of your GitHub repositories in a single configuration file. See the complete documentation.

  • Veracode Static Analysis Pipeline Scan and import of results to SARIF: run a pipeline scan of your application code within your GitHub development pipeline. The action also converts the scan results to a Static Analysis Results Interchange Format (SARIF) file and imports them as code-scanning alerts. To view the scan results, in your GitHub project, select Security > Code scanning alerts.

    To configure this action, edit the settings in the provided /workflows/main.yml file. For example, if you do not want the action to convert the scan results from JSON format to SARIF format and import them into GitHub, you can remove or comment out those settings.

  • Veracode Fix as a GitHub Action: use Veracode Fix as a GitHub Action to:

    • Get AI-generated code patches for fixing flaws in your code.
    • Review the suggested code patches.
    • Create a branch and open a pull request with the suggested fixes.
    • Apply the fixes directly to flaws.

    To generate code patches for flaws discovered in your source code and comments on pull requests with fixes, the Veracode Fix GitHub Action uses the results from a Veracode Pipeline Scan. You apply these code patches to the flaws to fix them. By default, Veracode Fix applies its first suggested code fix to a flaw. To try other suggestions, you can also use Fix in your IDE or in the Veracode CLI.

    The action is based on the results of Veracode's pipeline-scan action. The Veracode pipeline-scan can store results with all flaws identified (results.json), or filtered results (filtered_results.json). To configure this action, edit the settings in the provided /workflows/main.yml file.

Veracode provides additional Pipeline Scan examples that you can add to GitHub Actions. You can also integrate Veracode Software Composition Analysis (SCA) with GitHub Actions.

Prerequisites

  • You have generated API credentials.
  • Your Veracode API credentials are stored securely using encrypted secrets in GitHub. To access Veracode, you add these encrypted secrets to the YAML files in the provided GitHub Actions.
  • If you are performing static analysis using a development sandbox, you have configured the sandbox you want to use.
  • You have compiled and packaged your application source files according to the packaging requirements.