Scan for Visual Studio

Veracode Scan for Visual Studio is an extension for Visual Studio 2019 and 2022 that integrates Static Application Security Testing (SAST) into your Software Development Lifecycle (SDLC).

From within your IDE:

• To detect flaws in your code, run Static Analysis scans.
• To resolve flaws, use the provided remediation guidance.

When you scan your project, the plugin automatically:

• Packages your project code into an artifact, such as ZIP or JAR.
• Uploads the artifact to Veracode for analysis.
• Downloads the results and displays them in your IDE.

Scan results are only available in your IDE. You cannot access the results in the Veracode Platform.

Supported versions

Veracode has tested the following versions of Visual Studio, but the extension might work with other versions.

• Visual Studio 2022: v17.11.4 or later
• Visual Studio 2019: v16.11.40 or later

Supported languages and frameworks

Veracode has tested specific versions of the following languages and frameworks, but the extension might work with other versions.

• For Static Analysis scans, see Pipeline Scan supported languages.
• For auto-packaging, see supported languages.

About application packaging

Before Veracode can run a Static Analysis on your project, the code must be packaged into a supported artifact, such as ZIP or JAR. When you start a scan, the extension uses an auto-packager to automatically package your project. Then, the extension uploads the artifact to Veracode for scanning.

If the auto-packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. The default location for manually packaged artifacts is <project root>/.verascan. At the root of your project, create the .verascan folder and add your artifact to this folder. When you start a scan, the plugin first looks for an artifact in the default location. To store your artifact in a different location, where the plugin looks next, configure the Artifact Glob setting.

Important

A packaged artifact must not exceed the total file size limit of 200 MB.

Prerequisites

Before you can install and use Veracode Scan for Visual Studio, you must have:

• A supported version of Visual Studio and a source project of a supported language or framework. Monorepos are not supported.

• Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.

• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The extension uses these addresses to authenticate with Veracode, upload your code for scanning, and download the results. To update your allowlist, you might need to contact your IT team.

• To use auto-packaging, you must have:

  • All required build tools, such as compilers and supported package managers, for the language of your project, installed on your local system.
  • All required build tools available on the default command line prompt, which typically uses PATH. If you open a different project that uses different tools, or different versions of the same tools, before you can scan, you must ensure these tools are available on the default command prompt.

• To run Static Analysis scans and view flaws, you must have:

  • An active Static Analysis license.
  • One of the following Veracode accounts:
    • A human user account with the Security Lead, Creator, or Submitter user role.
    • An API service account with the Upload and Scan API or Upload API - Submit Only API role.
  • Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.
  • Enabled one-way communication on port 443.

Create an API credentials file

Before you can use the extension, you must generate API credentials in the Veracode Platform and store them in a local credentials file. The extension uses the API credentials to authenticate with Veracode.

Install the extension

Install the extension from the Visual Studio Marketplace.

note

You can only install the extension on one machine. If you install the extension on multiple machines, it might fail to authenticate with Veracode.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. In Visual Studio, select Extensions > Manage Extensions. Alternatively, go to the Visual Studio Marketplace.

2. Search for veracode.

3. Locate and install Veracode Scan for Visual Studio 2019 or Veracode Scan for Visual Studio 2022.

4. Restart Visual Studio.

5. On the toolbar, select Open Veracode Scan . Alternatively, select Extensions > Veracode Scan. The Veracode Scan window opens. The extension automatically detects your API credentials file and attempts to authenticate with Veracode.

6. On the Getting Started tab, under Authenticate with Veracode, review the Status.

   • If authentication is successful, the Status shows Authenticated. Continue to Step 7.

   • If authentication failed, the Status shows Not Authenticated. Complete one or both of the following, then select Test Authentication.

     a. Ensure your API credentials file is configured correctly and the file is in the required location.

     b. Ensure your API credentials are valid. If your credentials are invalid or expired, generate new credentials and replace the invalid credentials in your credentials file with your new credentials.

7. To install a local agent, under Install Local Agent, select Install Agent. The extension uses this agent to communicate with Veracode. This agent is specific to the extension and does not affect any other local Veracode agents.

8. Select Close. The Getting Started window will not open on subsequent scans. The installation is complete.

Configure the extension

Optionally, provide the location of a custom artifact containing the code you want to scan. By default, when you start a scan the extension uses auto-packaging to automatically package your code into a supported artifact.

To complete this task:

1. Select Tools > Options.
2. In the Options window, select Veracode Scan > Settings.
3. For Artifact Glob, enter a glob pattern that defines the path and filename for a packaged artifact that you created manually or placed in a custom location. The path must be relative to your project root directory.
4. Select OK.

Scan your project

To analyze the security risk of your code, scan your project. Because each scan uses the data paths in your project files to detect flaws in lines of code, it does not scan your code as you type. To detect flaws in new or changed lines of code, you must rescan your project.

A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

1. Open a supported project or solution.
2. On the toolbar, select Open Veracode Scan . The Veracode Scan window opens.
3. Select Scan and Review > Scan project.
4. Wait for the scan to complete. When the scan is complete, the results appear in the following views: Scan Overview and Flaws In My Code.

Review the scan overview

After you scan your project, the Scan Overview shows the total number of flaws from the Static Analysis scan. To view the following information about the scan, select the dropdown .

• The scan completion time and date.
• The name of the scanned project and the scan duration.
• All flaws categorized by severity.

Working with flaws

To review, fix, or ignore discovered flaws, use the Flaws In My Code view.

Review flaws

Learn about the discovered flaws and their severity, and get remediation guidance that can help you fix them.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode Scan window, select Scan and Review.
2. In the Flaws In My Code view, review the list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name, sorted by severity. The flaws with the highest severity are at the top of the list.
3. Optionally, to only show flaws with specific severities, select Flaw Filters to filter the flaws. Then, select one or more severities.
4. To view a detailed description of a flaw and the remediation actions you can take to fix it, select Flaw details. The Finding Details tab opens.
5. To view a flaw within a source file, select a flaw. The source file opens in a tab and the line of code where the flaw exists is highlighted blue.

Filter flaws

To control which flaws are listed in the Flaws In My Code view, you can filter them by severity.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode Scan window, select Scan and Review.
2. In the Flaws In My Code view, select Flaw Filters .
3. To hide or show flaws based on their severity, select one or more severities. The selected severities show a checkmark.
4. To remove filters, select one or more severities that show a checkmark.

Fix flaws

To fix discovered flaws, follow the remediation guidance available in Visual Studio.

Before you begin:

Ensure you have scanned your project.

To complete this task:

1. In the Veracode Scan window, select Scan and Review.
2. In the Flaws In My Code view, expand a flaw you want to fix.
3. Optionally, to hide or show flaws based on their severity, select Flaw Filters to filter the flaws.
4. Select Flaw details. The Finding Details tab opens with detailed information and remediation guidance for the selected flaw.
5. To fix the flaw, on the Finding Details tab, follow the instructions under Remediation Guidance.
6. To see the path that the scanner followed to locate this flaw, under Data Paths, expand a path. Then, select the Step link for the source file and code line number you want to view.
7. To confirm that a flaw is fixed, rescan your project and check that the flaw is no longer listed in the Flaws In My Code view.

Clear all results

Remove all findings from all views and the extension.

Before you begin:

Ensure you have scanned your project.

To complete this task:

Caution

You cannot undo this action or recover the cleared findings. To see results, rescan your project.

In the Veracode Scan window, select Scan and Review > Clear all results.

Troubleshooting

To generate a log file for a scan and the auto-packager, turn on debugging. You can use these logs to troubleshoot issues.

note

When turned on, the debug option does not persist. You must turn it on before each scan.

To complete this task:

Select Extensions > Veracode Scan > Enable Debug. The Enable Debug menu item shows a checkmark.

The log files are stored on your local machine in .veracode/ide_agent/vstudio/. To remove these files, you must delete them manually.

To turn off debugging, select Extensions > Veracode Scan > Enable Debug to remove the checkmark.

If you need additional help, contact Veracode Technical Support.