Veracode Fix GitHub Action
The Veracode Fix GitHub Action uses the Veracode AI-assisted remediation service, Veracode Fix, to generate AI-generated code patches and review suggested patches for flaws in your code. It applies these patches to flaws in a new branch and creates a pull request for you to review, approve, and merge.
Input data and fix generation
Veracode Pipeline Scan can store results with all identified flaws (results.json) or filtered results (filtered_results.json). Based on the results file that you provide to this action, Veracode Fix will generate fixes to flaws found during the scan. Veracode Fix creates these fixes in the form of code suggestions to the source code.
Pull request comments
The action will create a comment on the pull request (PR) with the fixes for every fixable flaw based on the type of fix. Because a single fix type could lead to a large number of comments on the PR, use the fixType:batch option to apply a batch of fixes and minimize the number of comments. When you use the pipeline-scan job, it uses a baseline file to filter out known flaws. It generates the filtered-results.json file. To fail the build based on flaw severity or specific Common Weakness Enumerations (CWEs), you can refine the scan results with the --fail_on_severity or --fail_on_cwe parameters.
Automatic code suggestions
By default, Veracode Fix applies the first code suggestion to flaws in the PR. The first suggestion is the Veracode recommended fix for a flaw, and is typically the one you want to apply. To review other suggested fixes and apply them manually, you can use the Veracode Scan IDE plugins or use the Veracode CLI.
Veracode Fix types
You can configure the action to apply single fixes to flaws or apply multiple fixes as a batch.
Single fix
When you configure fixType to single, Veracode Fix creates separate comments for each security flaw in the pull request. This approach provides precise tracking and detailed documentation but can clutter the pull request interface with numerous comments. You cannot apply these suggestions automatically in your pipeline. You must copy these suggestions and apply them manually to the affected lines of code in each file.
For example, if a Java file has multiple flaws, such as SQL injection risks and improper log output neutralization, Veracode Fix fixes each flaw individually.
Batch fix
When you configure fixType to batch, Veracode Fix consolidates all fixes for a single file into one comprehensive pull request comment. Instead of creating separate comments for each flaw, the action generates a single, well-structured comment that contains the appropriate fixes.
For example, if a Java file has multiple flaws, such as SQL injection risks and improper log output neutralization, Veracode Fix generates a single comment that contains all necessary fixes you can apply to all flaws.
Configure Veracode Fix action in Github actions
This section provides a few configuration scenarios that you can use to implement the Veracode Fix action within your GitHub actions workflow.
Before you begin:
Ensure that you have suitable Veracode Fix account role to use Veracode's GitHub Actions effectively to generate AI generated code patches.
Enable Workflow Permissions for Veracode GitHub Actions
To allow the Veracode Fix GitHub Action to create and approve pull requests and apply suggested code patches for flaws, configure GitHub read and write workflow permissions in your repository.
To complete this task:
- In your repository, go to Settings and select Actions.
- Under Workflow permissions, select Read and write permissions.
- Select Allow GitHub Actions to create and approve pull requests.
- To apply the changes, select Save.
Add the main.yml file
Create a main.yml file that will build the project with the required package manager, run a Pipeline Scan to discover flaws in your repository, and create a pull request with Veracode Fix to generate suggested fixes for the discovered flaws.
To complete this task:
- Create a new file named
main.ymlin the.github/workflowsdirectory. - Open the
main.ymlfile. - To build the project and run a Pipeline Scan in the same workflow, configure the Pipeline Scan parameters. The GitHub Action runs on a pull request.
- In the
main.ymlfile, after the Pipeline Scan parameters, configure the usage parameters for Veracode Fix. - Commit your changes in the
main.ymlfile to the branch.
Configure Veracode API credentials
Add GitHub secrets for your Veracode credentials to your repository. Veracode Fix uses these credentials to authenticate with Veracode and generate suggested fixes. To complete this task:
- Generate your Veracode API ID and secret key from the Veracode Platform.
- Configure a GitHub secret in your repository called
VIDfor your Veracode API ID and another calledVKEYfor your API secret key.
Workflow trigger
The workflow will trigger automatically when a pull request is created or updated. To check your workflow results in your pull request, go to the Pull requests tab and select the Conversation tab.
Usage parameters
The following table describes the usage parameters that you can use to configure the GitHub action for Veracode Fix.
| Parameter | Description | Required |
|---|---|---|
vid | The Veracode API ID. | Yes |
vkey | The Veracode API Secret Key. | Yes |
inputFile | The results file from a Veracode pipeline scan. Ensure that pipeline-scan is run with --esd true. | Yes |
language | The language of the source code. Supported languages are java, csharp, javascript, python, kotlin, scala, php, go. | Yes |
fixType | The type of fix to generate, either single or batch. | Yes |
files | Filter on all or only changed files. You can only filter on changed files in a pull request. | Yes |
cwe | A single CWE or a comma-separated list of CWEs to filter and generate fix suggestions. | No |
source_base_path_1, source_base_path_2, source_base_path_3 | Specify rewrite paths to correct source file paths in the scan results that do not match the actual source file paths. | No |
debug | Enable verbose debug mode. | No |
prComment | If the action runs within pull requests (PR), create comments for fixes in the PRs. | No |
createPR | Create a PR with the fixes to the source branch. Requres fixType:batch. | No |
Veracode Fix action behavior based on parameters
The configuration parameters specify how the Veracode Fix action behaves in different scenarios, such as handling pull request (PR) comments and annotations, and creating new pull requests.
Pull request comments
Single Fix type
If prComment is set to true and fixType is set to single, the action creates a comment on the pull request (PR) for every fixable flaw. This may result in many comments on the PR. Veracode recommends to use the batch option.
Batch Fix type
If prComment is set to true and fixType is set to batch, the action creates comments on the PR with fixes for all fixable flaws per file, for every fixable flaw.
Annotations
Single Fix type
If fixType is set to single and the action runs on a PR, it creates annotations for either changed files or all files, depending on the files parameter. This helps PR reviewers to see details of flaw that you can fix with Veracode Fix.
::: note This option might create multiple annotations on the same line of code. This requires you to consider which Veracode Fix changes to apply. :::
Changed files
If files is set to changed and the action runs on a PR, it only fixes flaws in files that have been changed in the PR. This option only works if the action runs on a PR.
All files
If the action runs on a PR, it creates annotations for both changed and unchanged files. This helps PR reviewers see what could be fixed with Veracode Fix.
Create pull request
If fixType is set to batch and createPR is set to true, the action creates a new branch named Veracode-fix-bot-COMMIT-SHA-{TIMESTAMP}, where
{TIMESTAMP} indicates time and date when you create this new pull request branch. It creates this pull request with the fixes to the source branch where the action runs.
Examples
All examples follow the same structure and require that the build completes before the action starts. To initiate a Pipeline Scan, Veracode Static Analysis requires a compiled or packaged application. For packaging and compilation requirements, see Package your code.
These examples will check out the repository, download the previously generated build artifact named verademo.war, and then run the action.
Prerequisites
Before you can use these examples, you must meet the following prerequisites:
- Create a new YAML file in the
.github/workflowsdirectory. For example:mkdir -p .github/workflows
touch .github/workflows/main.yml - Create a workflow trigger on a pull request. For example:
on:
pull_request:
branches: [main]
workflow_dispatch:
Single fix type workflow
With fixType: single, the action processes each flaw individually, generates a fix, and applies it to the source code.
If the action runs in a PR, prComment: true specifies to create comments that describe the applied fixes in the PR.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'zulu'
java-version: 8
- name: Cache Maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
- name: Build with Maven
run: mvn clean package
- uses: actions/upload-artifact@v4
with:
name: verademo.war
path: target/verademo.war
pipeline_scan:
needs: build
runs-on: ubuntu-latest
name: Veracode Pipeline Scan
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get archive
uses: actions/download-artifact@v4
with:
name: verademo.war
- name: pipeline-scan action step
id: pipelien-scan
uses: veracode/Veracode-pipeline-scan-action@esd-true
with:
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
file: "verademo.war"
request_policy: "VeraDemo Policy"
debug: 1
fail_build: false
- uses: actions/upload-artifact@v4
with:
name: Veracode Pipeline-Scan Results
path: results.json
veracode-fix:
runs-on: ubuntu-latest
needs: pipeline_scan
name: Veracode Fix
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get flaw file
uses: actions/download-artifact@v4
with:
name: Veracode Pipeline-Scan Results
- name: Create fixes from static findings
id: convert
uses: Veracode/veracode-fix@main
with:
inputFile: filtered_results.json
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
source_base_path_1: "com/:src/main/java/com/"
source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF"
language: java
prComment: true
fixType: single
Batch fix type workflow
fixType: batch and prComment: true specify for the action to generate fixes for multiple static analysis findings and create a pull request with those fixes and comments in a single file.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'zulu'
java-version: 8
- name: Cache Maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
- name: Build with Maven
run: mvn clean package
- uses: actions/upload-artifact@v4
with:
name: verademo.war
path: target/verademo.war
pipeline_scan:
needs: build
runs-on: ubuntu-latest
name: Veracode pipeline scan
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get archive
uses: actions/download-artifact@v4
with:
name: verademo.war
- name: pipeline-scan action step
id: pipelien-scan
uses: veracode/Veracode-pipeline-scan-action@esd-true
with:
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
file: "verademo.war"
request_policy: "VeraDemo Policy"
debug: 1
fail_build: false
- uses: actions/upload-artifact@v4
with:
name: Veracode Pipeline-Scan Results
path: results.json
veracode-fix:
runs-on: ubuntu-latest
needs: pipeline_scan
name: Veracode Fix
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get flaw file
uses: actions/download-artifact@v4
with:
name: Veracode Pipeline-Scan Results
- name: Create fixes from static findings
id: convert
uses: Veracode/veracode-fix@main
with:
inputFile: filtered_results.json
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
source_base_path_1: "com/:src/main/java/com/"
source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF"
language: java
prComment: true
fixType: batch
Batch fix type workflow with CWE filters
fixType: batch specifies for the action to generate fixes for all the eligible flaws, which it filters by the specified CWEs, in a single batch and create a pull request with the available fixes. prComment: true specifies for the action to create comments for the fixes on the pull request if it runs within a pull request.
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
distribution: 'zulu'
java-version: 8
- name: Cache Maven packages
uses: actions/cache@v3
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
- name: Build with Maven
run: mvn clean package
- uses: actions/upload-artifact@v4
with:
name: verademo.war
path: target/verademo.war
pipeline_scan:
needs: build
runs-on: ubuntu-latest
name: Veracode Pipeline Scan
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get archive
uses: actions/download-artifact@v4
with:
name: verademo.war
- name: pipeline-scan action step
id: pipelien-scan
uses: veracode/Veracode-pipeline-scan-action@esd-true
with:
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
file: "verademo.war"
request_policy: "VeraDemo Policy"
debug: 1
fail_build: false
- uses: actions/upload-artifact@v4
with:
name: Veracode Pipeline-Scan Results
path: results.json
veracode-fix:
runs-on: ubuntu-latest
needs: pipeline_scan
name: Veracode Fix
steps:
- name: checkout repo
uses: actions/checkout@v3
- name: get flaw file
uses: actions/download-artifact@v4
with:
name: Veracode Pipeline-Scan Results
- name: Create fixes from static findings
id: convert
uses: Veracode/veracode-fix@main
with:
inputFile: filtered_results.json
vid: ${{ secrets.VID }}
vkey: ${{ secrets.VKEY }}
source_base_path_1: "com/:src/main/java/com/"
source_base_path_2: "WEB-INF:src/main/webapp/WEB-INF"
language: java
cwe: '89,117'
prComment: true
fixType: batch
Compile the action
The GitHub action is pre-compiled as transpiled JavaScript. You can fork and build the action with compilers. If you are comfortable using compilers, you can install NPM and use ncc to compile all node modules into a file. Using this compiled file, the mode modules will not need to install each time the action runs.
ncc build ./src/index.ts