Veracode for GitHub

Build and Release Management

You can use Veracode for GitHub to integrate Veracode Static Analysis with GitHub Actions. This integration enables you to automate scanning of your application code from within GitHub.

Veracode GitHub Actions

Veracode provides these preconfigured GitHub Actions in the GitHub Marketplace:

  • Veracode Upload and Scan: use the Veracode Java API wrapper to perform an upload and scan of your application code in your GitHub project. You can view the scan results in the Veracode Platform. To configure this action, edit the settings in the provided action.yml file.
  • Veracode Static Analysis Pipeline Scan and import of results to SARIF: run a pipeline scan of your application code within your GitHub development pipeline. The action also converts the scan results to a Static Analysis Results Interchange Format (SARIF) file and imports them as code-scanning alerts. To view the scan results, in your GitHub project, select Security > Code scanning alerts.

    To configure this action, edit the settings in the provided /workflows/main.yml file. For example, if you do not want the action to convert the scan results from JSON format to SARIF format and import them into GitHub, you can remove or comment out those settings.

Veracode provides additional Pipeline Scan examples that you can add to GitHub Actions. You can also integrate Veracode Software Composition Analysis (SCA) with GitHub Actions.

Prerequisites

  • You have generated Veracode API credentials.
  • Your Veracode API credentials are stored securely using encrypted secrets in GitHub. To access Veracode, you add these encrypted secrets to the YAML files in the provided GitHub Actions.
  • If you are performing static analysis using a Veracode development sandbox, you have configured the sandbox you want to use.
  • You have compiled and packaged your application source files according to the Veracode Packaging Requirements.