Scan code in a sandbox

Your teams can use development sandboxes to use Veracode Upload and Scan to run Static Analysis and SCA scans of application code during testing, outside production environments. They can also scan against security policies to ensure that their code complies with your organization's security requirements. These policy scans do not affect the policy compliance of the entire application.

As a developer, you can create sandboxes within existing application profiles and submit the code for analysis while still in development. At the same time, you can still run a static policy scan of the same application code. Unlike a Policy scan, after completing a sandbox scan, the value of the policy_compliance_status parameter changes to Conditional Pass. You can promote that sandbox scan to a policy scan that counts toward your policy compliance score.

Using sandbox scans can reduce application security risk by allowing you to obtain feedback about your in-development applications. Sandbox scans do not degrade the policy status and flaw metrics for the production versions of those applications. You can analyze multiple versions of the same application at the same time as part of a branch or trunk-based development strategy.

The Veracode Platform matches flaws found in sandbox scans with those in policy scans to ensure any mitigations you have previously entered persist across all scans of the same application. Therefore, the code scanned within a sandbox is similar to the code the policy scan assesses.

For applications that comprise several microservices, we recommend that you do not scan these in isolation within separate sandboxes. This method inhibits the ability of your team to promote the sandbox scan to a policy scan, which impacts the effectiveness of progress reporting. Instead, if you must scan microservices in isolation, we recommend you create a separate application profile and use the sandbox and policy scan capabilities. This strategy facilitates the branching of the microservices as development progresses and enables you to perform mitigations as you create new versions of a microservice.

You can use metadata to tag application profiles by using custom fields in the metadata page or using the Veracode Applications API so that you can group applications as one microservice. You can, then, view the collective results in Veracode Analytics to track the security posture of a set of microservices.

The development sandbox is a temporary store of your security analysis. We retire this data based on the data retention setting that you apply. The policy scan is the true, audit-compliant record of analysis results.

How can I use development sandboxes?

You can create and manage sandboxes in the following products.

• Veracode Platform
• Veracode Jenkins Plugin
• Veracode Static for Visual Studio
• Veracode Static for IntelliJ
• REST API
• XML APIs
• API wrappers

Pipeline Scan does not support sandboxes.

About sandbox data retention

The Veracode Platform retires data in sandboxes based on the data retention setting that you apply at the account level.

You can choose one of these data retention modes for sandboxes:

Time-to-Live Mode: in this mode, we automatically set an expiration date for development sandboxes when you create them. By default, we set the expiration date to 90 days after the sandbox creation date. After the sandbox expires, you cannot initiate any subsequent scans in the sandbox. However, you can still approve mitigations or promote scans from the sandbox for up to seven calendar days after the sandbox expires. After the seven-day period elapses, we delete the sandbox and its scans.

Rolling-Histories Mode: this mode preserves the last 15 scans you have prepared, on a rolling basis. The first scan in the sequence is the first scan to retire from your results after 15 scans have run. The sandbox itself never expires.

The rolling-histories mode is the default mode that we set at the account level for all new accounts since October 2020. If you want to switch modes, contact Veracode Technical Support.

About sandbox data expiration

We archive information about expired sandboxes and scans before deleting these sandboxes and scans.

Before deleting an expired sandbox or an expired scan, the Veracode Platform archives all information about the sandbox scans and the most recent state of all the findings in the sandbox. You can view information about expired sandbox data in Veracode Analytics dashboards and queries.

You can automatically recreate a sandbox when it expires if you are in time-to-live mode. You can enable the auto-recreate setting when you create the sandbox using the Veracode Platform, or by using the createsandbox.do API call. When you set auto-recreate to true, the Veracode Platform:

• Renames the expired sandbox by appending expired to the original filename
• Creates a new sandbox with the sandbox name

A development pipeline that uses a sandbox for scanning can continue to operate without interruption.

In general, when in the rolling-histories mode, the sandbox data retention is more conducive to the continuous integration use case because the Veracode Platform never deletes the entire sandbox.

For information about the development sandbox expiration date and auto-recreate status, see the Sandbox page in the Veracode Platform. You can also call the getsandboxlist.do API to view this sandbox expiration date and auto-recreate status.

Manage sandboxes in the Veracode Platform

You can perform all sandbox management tasks in the Veracode Platform.

Create a sandbox

You can create a sandbox to provide a temporary store of your security analysis of an application.

Before you begin:

If you have the Sandbox User, Creator, Security Lead, or Sandbox Administrator role, you can create sandboxes.

note

The sandbox feature is not available to third-party vendors whose software we scan on behalf of an enterprise.

You access the Sandboxes page from the left navigation menu on the Application page. The Sandboxes page for each application contains two views:

• My Sandboxes
• Everyone's Sandboxes

Everyone who has access to this application and has the correct sandbox permissions can create sandboxes for the application. You can change the view between the list of all sandboxes and the list of only your sandboxes.

To complete this task:

1. Go to the application, select Sandboxes in the left navigation menu.
2. On the Sandboxes page, select Create Sandbox.
3. In the Create Sandbox window, enter the name of your new sandbox.
4. If you are in the time-to-live mode, to specify your preference when the sandbox expiration period starts, select the Automatically re-create this sandbox when the seven-day expiration period starts checkbox. Your new sandbox now appears in My Sandboxes and Everyone's Sandboxes lists.
5. To edit the sandbox name, select next to the name.
6. To go to the overview page for that sandbox, select the sandbox name in the list. The number of remaining sandboxes appears in the Sandboxes section of the Application page and on the Sandboxes page.

Start a sandbox scan

You can start a scan of an existing sandbox to measure the results against policy rules.

To complete this task:

1. To go to the overview page, from the list of sandboxes, select the required sandbox name.
2. Select Start a Scan, then select the scan type you want to run.
3. Follow the same procedures for running formal, policy scans.
4. To review which sandbox scans are still running and which have finished, from the left navigation of the application, under Sandbox Scans, select In Progress or Completed.

note

You can run a maximum of 10 concurrent sandbox scans. To view the number of scans currently running, open the profile for your application and select Sandboxes in the left navigation bar.

Review sandbox scan results

You can access the results from sandbox scans to review the findings.

Flaw matching occurs when you perform two scans of the same application. The Veracode Platform compares the results of the second scan to the first scan to identify any findings that might be identical between the two scans.

Before you begin:

If you have the Creator, Submitter, Reviewer, Security Lead, or Sandbox Administrator role, you can view sandboxes.

To complete this task:

1. From your application left navigation, select Sandbox Scans.
2. To go to the scan overview page for that scan, select the name of the scan. If you have an Enhanced Support subscription, you can select Schedule a Consultation on the Sandbox Results page to schedule a consultation call with a Veracode Application Security Consultant to help interpret the findings in your application.

Mitigating flaws in sandbox scans

You can mitigate flaws found in sandbox scans.

You can validate the security of your application using a development sandbox scan before you submit a policy scan that counts towards your policy compliance score. Alternatively, you have the option to promote a sandbox scan to a policy scan that counts toward your policy compliance score.

To view which flaws in your sandbox scan affect your policy, select the Fix for Policy filter in the Triage Flaws page of your scan results.

If you choose to use the promote functionality, designate one sandbox to use for promotion purposes. Apply all mitigations to the latest scan of the complete application and only promote the sandbox designated for promotion. When you are satisfied with the security posture of the application scanned in the designated development sandbox, you can promote the most recent development sandbox to policy.

You can create other sandboxes to test newer versions of your application or individual components of an application. However, we recommend that you do not promote these sandboxes.

When you promote a sandbox scan to a policy scan, you also promote any mitigations of flaws found in the sandbox scan, regardless of whether the mitigation status is proposed, rejected, or accepted. Sandbox scans inherit mitigations from previous scans of the same application. When you promote a sandbox scan, the mitigation status of each flaw in the promoted scan becomes the mitigation status of that policy scan.

Promote a sandbox scan

After completing a sandbox scan, you have the option to promote the sandbox scan to a policy scan that counts toward your policy compliance score. You can perform a sandbox scan as part of integration testing to validate the security of your application and, then, promote the sandbox scan to a policy scan.

We recommend that you designate one sandbox to test different versions of code or components of an application. To achieve policy compliance, apply all mitigations to the scan results designated for promotion. Then, only promote scans from this sandbox.

When you promote a sandbox scan to a policy scan, the Veracode Platform applies the score of that scan against the policy. You can have multiple sandboxes to scan the different components of your application. However, when you promote a sandbox scan, that scan must contain the entire application.

Sandbox scans of individual components of an application analyze only a small part of the application. These scans do not have the full context of the application. Scans can detect findings by analyzing the interaction between files or libraries.

note

Before promoting a scan, verify that you have uploaded all the modules of the full application.

Before you begin:

The sandbox scan you want to promote must meet these conditions:

• The scan is the most recent.
• The scan is no more than 60 days old.

To complete this task:

1. On the application overview page, from the left navigation, select Sandboxes.

2. Select the name of the sandbox you use for promotion.

3. Select the name of the most recent scan.

   note

   If the most recent scan is in progress or incomplete, you cannot promote an earlier scan from the same sandbox.

4. Select , then select Promote Scan.

5. If you want to delete this sandbox from your application upon promotion, select the Delete Associated Sandbox checkbox. Deleting the sandbox helps you avoid having an excessive number of sandboxes, which can make results difficult to review. The additional sandboxes count toward your sandbox limit.

6. Select Promote to promote the scan.

   After you promote the scan, it appears in the Policy Evaluation section of the application page and the list of completed policy scans. The name of the scan is appended with (Promoted) to indicate that you promoted it from a sandbox to a policy scan. All data exports include the flaw data from promoted sandbox scans. You can also view the flaw data in Veracode Analytics.

Results:

When promoting a scan, the scan shows the Promote in Progress status until the promotion finishes. The promotion might take some time, depending on the number of findings in the scan.

When performing a rescan of a promoted scan, the Veracode Platform resets the scan status to Promote in Progress until the rescan is complete.

Download the sandbox activity report

You can download a report from the Veracode Platform that provides detailed activity for a sandbox.

The Veracode Platform provides an activity report, which you can download, and an activity log, which appears in the Veracode Platform user interface. The activity report provides the full history of activity for the sandbox. The activity log displays events from only the past 90 days.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Static Analysis.
2. Select an application.
3. Select a sandbox.
4. To display the activity, in the Activity Log section, select the arrow .
5. Select Generate CSV.
6. After the CSV generates, select Download CSV. The scan activity report downloads to your computer.