Skip to main content

Scan for VS Code

Veracode Scan for VS Code is an extension for the Visual Studio Code IDE that integrates Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Veracode Fix into your Software Development Lifecycle (SDLC).

From within your IDE:

  • To detect flaws in your code, run Static Analysis scans
  • To detect vulnerabilities in open-source libraries and the risk level of open-source licenses, run SCA agent-based scans
  • To remediate flaws by applying suggested fixes, use Veracode Fix
  • To resolve findings manually, use the provided remediation guidance

When you scan your project, the extension automatically:

  • Packages your project code into an artifact, such as ZIP or JAR.
  • Uploads the artifact to Veracode for analysis.
  • Downloads the results and displays them in your IDE.

Scan results are only available in your IDE. You cannot access the results in the Veracode Platform.

Supported versions

Veracode has tested the following versions of VS Code, but the extension might work with other versions.

1.78.2 or later

Supported languages and frameworks

Veracode has tested specific versions (if listed) of the following languages and frameworks, but the extension might work with other versions.

About application packaging

Before Veracode can run a Static Analysis on your project, the code must be packaged into a supported artifact, such as ZIP or JAR. When you start a scan, the extension uses an auto-packager to automatically package your project. Then, the extension uploads the artifact to Veracode for scanning. This option does not apply to SCA scans.

If the auto-packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. The default location for manually packaged artifacts is <project root>/.verascan. At the root of your project, create the .verascan folder and add your artifact to this folder. When you start the scans, the extension first looks for an artifact in the default location. To store your artifact in a different location, where the extension looks next, configure the setting veracode-scan.SAST Features.artifactGlob.

Important

A packaged artifact must not exceed the total file size limit of 200 MB.

Prerequisites

Before you can install and use Veracode Scan for VS Code, you must have:

  • A supported version of VS Code and a source project of a supported language or framework. Monorepos are not supported.

  • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.

  • Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The extension uses these addresses to authenticate with Veracode, upload your code for scanning, and download the results. To update your allowlist, you might need to contact your IT team.

  • To generate suggested code fixes and apply them to flaws, you must have a Veracode Fix license, a supported code language, and your account must have the Submitter user role.

  • To use auto-packaging, you must have:

    • All required build tools, such as compilers and supported package managers, for the language of your project, installed on your local system.
    • All required build tools available on the default command line prompt, which typically uses PATH. If you open a different project that uses different tools, or different versions of the same tools, before you can scan, you must ensure these tools are available on the default command prompt.
  • To see the prerequisites for a scan type, select from the following:

    To run Static Analysis scans and view flaws, you must have:

    • An active Static Analysis license.
    • One of the following Veracode accounts:
      • A human user account with the Security Lead, Creator, or Submitter user role.
      • An API service account with the Upload and Scan API or Upload API - Submit Only API role.
    • Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.
    • Enabled one-way communication on port 443.

Create an API credentials file

Before you can use the extension, you must generate API credentials in the Veracode Platform and store them in a local credentials file. The extension uses the API credentials to authenticate with Veracode. If you have generated an SCA agent token, you must still create an API credentials file.

Install the extension

Install the extension from the VS Code Marketplace the same as any other extension.

note

You can only install the extension on one machine. If you install the extension on multiple machines, it might fail to authenticate with Veracode.

Before you begin:

To complete this task:

  1. In VS Code, on the Activity bar, select Extensions.
  2. Search for veracode.
  3. Select Veracode Scan for VS Code.
  4. Select Install.
  5. Complete the setup.

vs-code-install-extension.png

Complete post-installation setup

After you install the extension, authenticate with Veracode, install a local agent, and, optionally, apply an SCA security policy.

To complete this task:

  1. On the Activity bar, select Veracode Scan vs-code-side-bar.png. The extension automatically detects your API credentials file and attempts to authenticate with Veracode.

    • If authentication is successful, the SETUP view opens. Continue to Step 3.

    • If authentication failed, the AUTHENTICATION view opens.

      vs-code-test-authentication.png

      Complete one or more of the following, then select Test Authentication:

      a. Ensure your API credentials file is configured correctly and the file is in the required location.

      b. Ensure your API credentials are valid. If your credentials are invalid or expired, generate new credentials and replace the invalid credentials in your credentials file with your new credentials.

      c. If you need to authenticate through a proxy server, add your proxy credentials.

  2. To install a local agent, under SETUP, select Install Agent. The extension uses this agent to upload your code to Veracode for scanning. This agent is specific to the extension and does not affect any other local Veracode agents.

    vs-code-install-agent.png

  3. To apply an SCA security policy that will filter the discovered vulnerabilities, select Settings vscode-settings-gear-icon.png. Then, select User > Extensions > Veracode Scan. This policy does not apply to flaws.

    vs-code-settings-tab.png

  4. On the Settings tab, select the checkbox under Policy.

    vs-code-policy-setting.png

  5. From the Policy dropdown menu, select a policy to apply to your project. The menu only lists policies that contain the Findings by Severity or Vulnerability CVSS Score rule types. To change the policy in the future, use the configuration settings. The installation is complete.

    vs-code-policy-menu-settings.png

Configure the extension

Optionally, configure scan settings, filter discovered findings, or add your proxy credentials to authenticate with Veracode through a proxy server.

To complete this task:

  1. To open the Settings tab, in the SCAN OVERVIEW view, select Settings.

    vs-code-settings-button.png

  2. Configure the following options:

    • SAST Flaw.Sev Filters: to hide or show flaws in the FLAWS IN MY CODE view, add or remove the related severities.
    • SCA Features.Auto SCA Scan: select to automatically run an SCA scan when you open VS Code, open a new project, or when your open-source libraries change. The extension will monitor changes to certain project files, such as package manager dependency files (package.json or pom.xml).
    • SCA Features.Policy: to filter out vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view, select to enable an SCA security policy that you can assign to your project. Then, from the Policy dropdown menu, select a policy. The menu only lists policies that contain the Findings by Severity or Vulnerability CVSS Score rule types. To use this option, the Unified Policy must be activated for your account. This policy does not apply to flaws.
    • SCA Features.Recursive Scan: select to run a recursive SCA scan of all folders and files in your selected project. After you select this option, you must rescan your project to update the results.
    • SCA Features: Skip Vulnerable Method Analysis: select to reduce SCA scan times. SCA scans will not analyze your project for vulnerable methods. Veracode recommends that you leave this setting turned off (the default) and resolve all vulnerable methods. To apply this setting, rescan your project.
    • SCA Vulnerability.Sev Filters: to hide or show vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view based on the risk level, add or remove the related severities.
    • SCA Vulnerability.Usage Filters: to filter vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view based on how the project uses a vulnerable library, add or remove Direct or Transitive (indirect).
    • SAST Features.artifactGlob: enter a glob pattern that defines the path and filename for a packaged artifact that you created manually or placed in a custom location. The path must be relative to your project root directory.

Add proxy credentials

If your organization requires you to authenticate with Veracode through a proxy server, add your proxy credentials to the extension. Only Basic authentication is supported.

To complete this task:

  1. To open the Settings tab, in the SCAN OVERVIEW view, select Settings vscode-settings-gear-icon.png.

  2. Search for proxy. Then, select User > Application > Proxy.

  3. Under Http: Proxy, enter the URL for your proxy server. If you do not know the proxy server URL, contact your IT administrator.

    vs-code-proxy-setting.png

    Alternatively, add the proxy server URL to an environment variable. The Http: Proxy option overrides the environment variable.

    Create the following environment variable:

    • For Variable name, enter https_proxy or veracode_https_proxy.
    • For Variable value, enter the URL for your proxy server.
  4. In the Add Proxy Credentials window, enter your proxy username and password. If you do not see this window or you want to re-open it, in the Command Palette, enter HTTP Proxy Credentials.

  5. Select Add Credentials. The extension authenticates with Veracode.

Scan your project

To analyze the security risk of your code and all open-source libraries and licenses, scan your project. Because each scan uses the data paths in your project files to detect flaws in lines of code, it does not scan your code as you type.

To detect flaws in new or changed lines of code, you must rescan your project. To automatically run an SCA scan after you change your open-source libraries or when you open a project, turn on Auto SCA Scan.

A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

  1. Open a supported project.
  2. On the Activity bar, select Veracode Scan vs-code-side-bar.png.
  3. In the SCAN OVERVIEW view, select Start Scanning. If you have already scanned this project, select Rescan vscode-sca-rescan-icon.png. If you have more than one project open, you can select the project you want to scan from the Command Palette.
  4. Wait for the scans to complete. When all scans are complete, the results for the selected project appear in the following views: SCAN OVERVIEW, FLAWS IN MY CODE, VULNERABILITIES IN MY LIBRARIES, and LIBRARY LICENSES.

Cancel all running scans

You can cancel all running scans at any time. It might take several minutes for all scans to stop.

To cancel all scans, in the SCAN OVERVIEW view, select Cancel Scan vs-code-cancel-scan-icon.png.

Review the scan overview

After you scan your project, in the Veracode Scan window, the SCAN OVERVIEW view provides the following information about the scans and the results:

vs-code-scan-overview.png

  • The scan completion time stamp and the duration of the scans.
  • The total number of flaws from the Static Analysis scan. To view the flaws categorized by severity, expand Flaws. If there are suggested fixes from Veracode Fix, you see the total number of available fixes.
  • The total number of vulnerabilities from the SCA scan. To view the vulnerabilities categorized by severity, expand Vulnerabilities.

Working with flaws

To review, fix, or ignore discovered flaws, use the FLAWS IN MY CODE view.

Review flaws

Learn about the discovered flaws and their severity, and get remediation guidance that can help you fix them.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. On the Activity bar, select Veracode Scan vs-code-side-bar.png.

  2. In the FLAWS IN MY CODE view, you see a list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name, sorted by severity. The flaws with the highest severity are at the top of the list. If there are suggested fixes for a flaw, the flaw icon shows a blue dot vs-code-flaw-fix-badge.png. After you apply a suggested fix from Veracode Fix, the flaw icon changes to gray vs-code-fix-applied-icon.png.

    vs-code-flaws-in-code-view.png

  3. Optionally, to only show specific flaws in the list, select Filter ide-filter-icon.png to filter the flaws.

    vs-code-filter-flaws.png

  4. To view a flaw within a source file, select a flaw. The source file opens in a tab and the line of code where the flaw exists is underlined in red. An icon to the left of the line of code shows the flaw severity.

    vs-code-flaw-view-source-file.png

    If the line of code contains multiple flaws, the icon shows the highest severity of all flaws. If there are suggested fixes for the flaw, to the right of the line of code, you see Veracode fix available.

  5. To view a detailed description of a flaw and the remediation actions you can take to fix it, in the FLAWS IN MY CODE view, point to a flaw, then select View flaw details ide-flaw-details-icon.png. The Flaw Details tab opens.

    vs-code-flaw-view-details-button.png

  6. Alternatively, to open the Flaw Details tab from a flaw in a source code file, hover over a line of code with a red underline. Then, select Quick Fix and a CWE. You can also select a CWE from Show Code Actions vscode-show-code-actions-icon.png.

    vs-code-open-flaw-details-code-line.png

  7. To review ignored flaws, at the bottom of the FLAWS IN MY CODE view, expand Ignored findings.

    vs-code-ignored-findings-dropdown.png

Filter flaws

To control which flaws are listed in the FLAWS IN MY CODE view, you can filter them.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the FLAWS IN MY CODE view, select Filters ide-filter-icon.png.

    vs-code-filter-flaws.png

  2. From the Filter Flaws dropdown menu, select a filter:

    • Severity: hide or show flaws based on their severity.
    • Veracode Fix: only show flaws with suggested fixes you can apply vs-code-flaw-fix-badge.png or flaws that have fixes applied vs-code-fix-applied-icon.png.
  3. To apply a filter, select OK. To indicate that the flaws are filtered, the filter icon shows an orange dot ide-filter-applied-icon.png.

    vs-code-filter-flaws-menu-severity.png

Fix flaws

To fix discovered flaws, you can apply suggested fixes from Veracode Fix or follow the remediation guidance available in your IDE. If the scan results do not include the path to a flaw, Veracode Fix does not provide suggested fixes for that flaw.

Before you begin:

  • Ensure you have scanned your project.
  • To generate and apply suggested code fixes, you must have a Veracode Fix license.

To complete this task:

  1. In the FLAWS IN MY CODE view, select a flaw you want to fix. If the flaw has suggested fixes, the severity icon shows a blue dot vs-code-flaw-fix-badge.png.

    vs-code-flaws-with-fixes.png

  2. Optionally, to show only flaws with suggested fixes, or flaws with fixes applied, select Filters ide-filter-icon.png to filter the flaws.

  3. To open the Flaw Details tab, point to a flaw, then select View flaw details.

    vs-code-flaw-view-details-button.png

  4. To open the source file that contains the flaw, select the flaw. In the source file, the line of code where the flaw exists is underlined in red. A line of code can contain multiple flaws.

    vs-code-flaw-view-source-file.png

  5. In the Flaws Details tab, select from the following tabs. You only see the Veracode Fix tab if Fix supports the CWE ID for the selected flaw.

    • Veracode Fix: to apply the top suggested fix for this flaw, select Apply Fix. To apply other suggested fixes, select a fix from Fix Option, then select Apply Fix. After you apply a suggested fix, a notification message opens with details about the applied fix and the flaw icon in the FLAWS IN MY CODE view changes to gray vs-code-fix-applied-icon.png. If you fix a flaw manually, its flaw icon does not change to gray.

      vs-code-veracode-fix-tab.png

    • Remediation Guidance: to fix this flaw manually, follow the remediation guidance. To see the path that the scanner followed to locate this flaw, under Data Paths, expand a path. Then, select the Step link for the source file and code line number you want to view.

      vs-code-remediation-guidance-tab.png

  6. Alternatively, to open the Flaw Details tab from a flaw in the source file, hover over a line of code with a red underline. Then, select Quick Fix and select either Fix this flaw or, if there are no suggested fixes, select More information. You can also access the Quick Fix options from the Show Code Actions menu vscode-show-code-actions-icon.png.

    vs-code-open-flaw-details-code-line.png

  7. To confirm that a flaw is fixed, rescan your project and check that the flaw is no longer listed in the FLAWS IN MY CODE view.

    vs-code-rescan-button.png

Ignore flaws

To temporarily remove flaws from the scan results, you can ignore them. For example, you might want to ignore flaws that continually appear or are of low importance, such as Informational.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the FLAWS IN MY CODE view, select a flaw. The source file that contains the flaw opens in a tab and the line of code where the flaw exists is underlined in red.

    vs-code-flaw-view-source-file.png

  2. In the source file, hover over a line of code with a red underline.

    vs-code-hover-code-line-popup.png

  3. To ignore a flaw, select Quick Fix > Ignore this finding on a CWE. If the line of code contains multiple flaws, the menu lists multiple CWEs. The flaw moves to the Ignored flaws section at the bottom of the FLAWS IN MY CODE view and is no longer visible in the source file. You can also access the Quick Fix options from Show Code Actions vscode-show-code-actions-icon.png.

    vs-code-ignore-finding.png

  4. To unignore a flaw, at the bottom of the FLAWS IN MY CODE view, expand Ignored flaws. Then, locate a flaw and select Unignore flaw ide-unignore-flaw-icon.png. The flaw moves out of the Ignored flaws list and is visible in the source file.

    vs-code-unignore-finding.png

Working with vulnerabilities

To review and fix discovered vulnerabilities, use the VULNERABILITIES IN MY LIBRARIES view.

Review and fix vulnerabilities

To see detailed information about libraries with vulnerabilities, the vulnerability risk level, and guidance for mitigating them, review the discovered vulnerabilities for all open-source libraries in your project in the VULNERABILITIES IN MY LIBRARIES view.

If you do not have an active SCA subscription, you do not see vulnerabilities in the SCAN OVERVIEW view. The VULNERABILITIES IN MY LIBRARIES view and the LIBRARY LICENSES view are also empty.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. On the Activity bar, select Veracode Scan vs-code-side-bar.png.

  2. In the VULNERABILITIES IN MY LIBRARIES view, you see a list of libraries sorted by risk level. The libraries with the most and highest-risk vulnerabilities are at the top of the list. The usage appears to the right of the library.

    vs-code-vulns-view.png

  3. Optionally, to only list libraries with vulnerabilities of specific severities, select Filters ide-filter-icon.png to filter the vulnerabilities.

    vs-code-filter-vulns.png

  4. To view the detected vulnerabilities, expand a library.

    vs-code-vulns-view-expanded.png

  5. To view information about the library, select View library details. The Library Details tab provides useful information about the library, such as the usage, the latest version available, the known safe version, and links to more information. If the library has vulnerable methods, the Has vulnerable methods field shows Yes and you should prioritize resolving this vulnerable library first. If the library does not have vulnerable methods or the Skip Vulnerable Method Analysis setting is turned on, the Has vulnerable methods field shows No.

    vs-code-library-details-tab.png

  6. To open the package manager file, such as package.json, where the vulnerable library is referenced, select Go to library location. In the package manager file, the vulnerable library (direct or transitive) is highlighted. You only see this option if your project uses Maven, npm, or Yarn.

  7. To see additional information about a vulnerability and the remediation guidance you can use to fix it, select it. The Vulnerability Details window shows the CVSS score, all libraries in your project with this vulnerability, a link to view it in the Veracode Vulnerability Database, and the recommended fix.

    vs-code-vuln-details-tab.png

  8. To fix the vulnerability, under The Fix, follow the remediation steps. For example, if a library in an npm project has a vulnerability, you might need to upgrade, or downgrade, the library in the package.json file to a safe version.

  9. To confirm that a vulnerability is fixed, rescan your project and check that the affected library, or the specific vulnerability you fixed, is no longer listed in the VULNERABILITIES IN MY LIBRARIES view.

    vs-code-rescan-button.png

Filter vulnerabilities

To control which vulnerabilities are listed in the VULNERABILITIES IN MY LIBRARIES view, you can filter them by severity.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the VULNERABILITIES IN MY LIBRARIES view, select Filters ide-filter-icon.png.

  2. Select Filter Vulnerabilities, then select one or more filters:

    vs-code-filter-vulns.png

    • Severity: hide or show vulnerabilities based on their risk level.
    • Usage: hide or show vulnerabilities based on their usage.
  3. To apply a filter, select OK. To indicate that the view is filtered, the filter icon shows an orange dot ide-filter-applied-icon.png.

    vs-code-filter-vulns-menu.png

Review open-source licenses

Review a list of all open-source licenses in your project, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it might need to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. On the Activity bar, select Veracode Scan vs-code-side-bar.png.

  2. In the LIBRARY LICENSES view, scroll through the list of detected licenses to see the names, versions, and license risk. The licenses with the highest risk level appear at the top of the list.

    vs-code-licenses-view.png

  3. Expand a license to see the libraries that use it.

    vs-code-licenses-view-expanded.png

Clear all findings

Remove all findings from all views and the extension.

Before you begin:

Ensure you have scanned your project.

To complete this task:

Caution

You cannot undo this action or recover the cleared findings. To see results, rescan your project.

In the SCAN OVERVIEW view, select Clear findings vscode-clear-findings-icon.png.

vs-code-clear-findings-button.png

Troubleshooting

To generate a log file for all scans, Veracode Fix, and the auto-packager, turn on debugging. You can use these logs to troubleshoot issues.

note

When turned on, the debug option does not persist. You must turn it on before each scan.

To complete this task:

In the HELP & FEEDBACK view, select Debug vscode-debug-icon.png. The icon shows a red dot and the tooltip changes to Debug Enabled.

vs-code-debug-button.png

The logs are stored on your local machine in .veracode/ide_agent/vscode/. The filename for each log file is the VS Code session ID at the time you started the scans. To remove these files, you must delete them manually.

To turn off debugging, select Debug to remove the red dot. The tooltip changes to Debug Disabled.

Get help or provide feedback

If you need help or want to report an issue, in the HELP & FEEDBACK view, select a link to visit the Veracode Community or report an issue.

vs-code-report-issue.png

For additional help, contact Veracode Technical Support.