Greenlight for Visual Studio

Veracode Greenlight for Visual Studio is a plugin for Microsoft Visual Studio. You can use the extension to run Veracode Greenlight scans of your code at the file level.

In Visual Studio 2019 and 2022, all extensions are available from the Extensions menu.

Greenlight uses these signed certificates: downloads.veracode.com and api.veracode.com.

Supported versions

Veracode has tested the following versions (if listed), but the integration might work with other versions.

• Visual Studio 2019–2022
• Visual Studio 2015–2017

Supported languages and frameworks

Veracode has tested the following versions (if listed), but the integration might work with other versions.

• JavaScript
• All .NET and .NET Core frameworks with the following exceptions:
  • .NET Core versions supported for CSPROJ or VPROJ projects: 2.0, 2.1, 2.2
  • .NET Core versions not supported for XPROJ projects: 1.0 and 1.1. The Veracode Static Analysis engine supports .NET Core 1.0 and 1.1 applications. However, .NET Core 1.0 and 1.1 project files in Visual Studio are not the standard CSPROJ or VBPROJ file types.
  • For .NET 5, .NET 6, and .NET 7, any projects that use top-level statements are not supported.

For more details, see the supported JavaScript libraries and technologies or the supported Java frameworks.

Supported files

• CS, VB, JS, ASCX, ASHX, or ASPX files selected in a .NET project that compiles successfully. If the project does not compile successfully, the plugin does not include the files in the scan.
• Total size of all files in a project must be 10MB or smaller.
• JavaScript embedded in HTML, JS, or TS files.
• C/C++ files are not supported.

Install the Visual Studio extension

You can install Greenlight for Visual Studio from the Microsoft Visual Studio Marketplace.

Before you begin:

Before you begin, you must have:

• Confirmed you have a supported version of Visual Studio and the plugin supports your code language.
• Ensured you meet the Greenlight prerequisites.

To complete this task:

1. Go to the Microsoft Visual Studio Marketplace.
2. Search for Veracode.
3. In the search results, select the link for the Veracode Greenlight for Visual Studio you want to install.
4. Select Download to download the VSIX file. If your browser downloads the VSIX file with a ZIP file extension, change the ZIP file extension to VSIX.
5. Double-select the VSIX file to start the Visual Studio installer.
6. When prompted, select the Visual Studio version you want to use with Veracode Greenlight for Visual Studio.
7. Select Install.
8. Restart Visual Studio.
9. Rebuild the solution that contains the files you want to scan.

Access the Greenlight tutorial

You can watch a Veracode Greenlight tutorial and access the Veracode Community from within Greenlight. Join the Community to learn best practices and collaborate on Veracode products.

To complete this task:

1. In Visual Studio, from the Veracode Greenlight dropdown menu, select Quick Tutorial or Veracode Community. In Visual Studio 2019, you can access the tutorial and the Community from the Extensions menu.
2. You can also access the Veracode Community and documentation from the links at the top-right of the Veracode Greenlight Findings tab.

Scan your project

Veracode Greenlight for Visual Studio only supports projects of 10 MB or smaller and scans the CS, VB, JS, ASCX, ASHX, or ASPX file you select in the project.

Before you begin:

You meet the Greenlight prerequisites.

To complete this task:

1. In Visual Studio, select the folder or file you want to scan.
2. From the Veracode Greenlight menu, select Scan with Veracode Greenlight. Alternatively, you can right-select a file or folder and select Veracode Greenlight or use the shortkey, Ctrl+Shift+\. You can watch the scan progress in the Output window.
3. After the scan is complete, review the security findings on the Veracode Greenlight Findings tab.

Enable auto-scan

You can enable auto-scan to automatically scan any saved, successfully compiled file that is in focus in your IDE.

Scans that you start yourself manually take precedence over scans that start automatically. Greenlight never initiates a new automatic scan while another scan is already running, whether it is an automatic scan or one you started yourself. When a scan is ongoing, Greenlight adds newly saved files to a queue in the order you save them.

The Veracode scan queue shows the priority in which Greenlight scans the files. The queue only shows automatically initiated scans because manually initiated scans always take precedence. The scans in the queue occur 30 seconds apart as long as the files compile successfully. When a file does not compile, a message appears in the log file and Greenlight does not scan the file.

Before you begin:

You meet the Greenlight prerequisites.

To complete this task:

1. Go to Veracode Greenlight
2. Select Auto-Scan.

For Java projects, you can select the Build Automatically option and Greenlight automatically scans any file that is in focus in the IDE as soon as it saves.

Review findings

After Veracode Greenlight for Visual Studio has scanned a file, a line of code with a finding has a color-coded underline and a corresponding severity icon at the left of the line of code. A line of code that complies with best practices and is protected against specific CWEs is underlined dark green, with a dark green V icon to the left of the line of code.

We recommend that you dock the Veracode Greenlight Findings window below the Visual Studio code editor window. At the top of the Veracode Greenlight Findings window, you can see the number of discovered flaws, which are grouped by severity and best practice. The scan level indicates whether you ran the scan at the package level or file level. In this window you can:

• Toggle the severity counts to filter the findings by severity grouping: Very High, High, Medium, Low, Very Low, or Info.
• Use the filter icon in the CWE ID to filter by CWE.
• Select the link in the Line column to locate the finding in the specific line of code in the file.
• Select Details to show the finding details in a separate findings window.
• Clear all findings, by selecting the eraser icon in the top-right corner or using the shortkey, _Ctrl+Shift+_.
• Hover over the finding severity icon at the left of a line of code for details about the finding.

Filter findings

You can filter results so that you can focus on the findings that are the most relevant and important.

The filter action is local to you to be able to filter out findings in the Veracode Greenlight results based on severity or CWE type. You can clear a filter at any time, and all filters are cleared upon reboot or restart of the IDE.

Before you begin:

You have scanned your project.

To complete this task:

1. On the Veracode Greenlight Findings tab, select a severity on which to filter the findings. The list of findings now only shows the findings of the selected severities.
2. Select the filter icon in the header of the CWE ID, Location, Language, and Scan Level columns to select more detailed filters, such as a specific CWE ID. The list of findings is reduced to only those matching the selected filters.

Results:

To remove the filters, select the severities at the top of the tab again. If you have filtered on any of the other columns, select the filter and select (Select All) from the dropdown of the other information types.

Ignore findings

If there are known findings in your code that continually appear in your Veracode Greenlight results, you can ignore them to temporarily remove them from the Greenlight results.

Before you begin:

You have scanned your project.

To complete this task:

1. Expand the severity category of the finding you want to ignore.
2. Expand the finding you want to ignore.
3. Select Ignore this finding. The ignored finding moves from the Findings list to the Ignored Findings list.

Stop ignoring findings

You can stop ignoring specific findings so that Veracode Greenlight can identify them in your code.

To complete this task:

1. In your IDE, go to the Veracode Greenlight Findings window.
2. In the Ignore column, next to an ignored finding, select Show.

Mitigate findings

When you select Details in the Actions column for a specific finding, the information provided in the Findings pane includes summary information about the finding, remediation guidance, and a reference section that lists links to further reading. Where applicable for specific CWE findings, you can also access the Veracode AppSec tutorials to learn more.

The remediation guidance provides links to more detailed information about the finding, with code examples of how findings can be exploited and how to fix the vulnerabilities.

View debug logs

You can view debug logs to troubleshoot issues on your own or provide them to Veracode Technical Support.

Before you begin:

You have scanned your project.

To complete this task:

1. From the top menu, select View > Output. The OUTPUT console appears at the bottom of your IDE.
2. From the top-right of the OUTPUT console, select the dropdown menu.
3. Select Veracode Greenlight in the dropdown menu. Your debug log output information appears.