GitHub Action
Veracode Dependency Scanning
Warning
actions/upload-artifact@v3 and actions/download-artifact@v3 is scheduled for deprecation on November 30, 2024. Learn more. We've upgraded the version of @actions/artifact to 2.1.4, which now supports actions/upload-artifact@v4 and actions/download-artifact@v4. Please ensure compatibility by utilizing the v4 versions of actions/upload-artifact and actions/download-artifact.
Veracode Software Composition Analysis (agent-based scan) as a GitHub Action with the following actions:
- Run the Veracode SCA similar as the script in textual output mode
- Ability to create issues for identified vulnerabilities without creating duplicates
- Ability to run the scan on a remote repository
- Ability to run the scan with the
--quick
flag
If the action runs on a pull request, it will either add a comment with the scan output to the PR or it will automatically link all created GitHub issues to the PR. This will help your review process to see if the PR can be approved or not.
❗ You will need to provide SRCCLR_API_TOKEN
as an environment variable (see examples below).
❗ If using an org-level agent, you will need to provide SRCCLR_WORKSPACE_SLUG
as an environment variable.
The run will store 2 different types of artifacts.
If create-issues
is set to true the artifact will be the json output stored as scaResults.json
.
If create-issues
is set to false the artifact will be the text output stored as scaResults.txt
.
For both the artifact name will be Veracode Agent Based SCA Results
.
Required - The authorization token to allow the action to create issues.
If the default value ${{ github.token }}
is not working, the token must be set on the action inputs.
You may be able to simply use ${{ secrets.GITHUB_TOKEN }}
as a default option - see more details
Otherwise, you may be able create and assign as secret a Personal Access Token and assign it with the required permissions (repo
scope).
Optional - whether to create issues from found vulnerabilities
This is a boolean value attirbute
Default Value: false
Optional - specify a remote repository URL for scanning. It will not scan the current repository in which the workflow is running
Optional - a relative path for the scan to start. This attribute is useful in scenarios where the actual code is not in the root of the repository. An example would be mono repo where the repository is home for multiple projects
Default Value: .
(repository root folder)
Optional - run the Veracode SCA scan with --quick
Default Value: false
Optional - run the Veracode SCA scan with --debug
Default Value: false
Optional - run the Veracode SCA scan with the --skip-collectors
attribute with comma sporated values.
The available values can be found here: Scan directive (scroll down to the skip_collectors
directive).
Default Value: None
Optional - run the Veracode SCA scan with --allow-dirty
Default Value: false
Optional - run the Veracode SCA scan with --recursive
Default Value: false
Optional - run the Veracode SCA scan with --skip-vms
Default Value: false
Optional - do not include dependency graphs in the JSON output.
Default Value: false
Run a scan but do not create issues for identified vulnerabilities.
on:
schedule:
- cron: 15 14 * * 6
workflow_dispatch:
jobs:
veracode-sca-task:
runs-on: ubuntu-latest
name: Scan repository with Veracode SCA
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Veracode SCA
env:
SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
uses: veracode/veracode-sca@v2.1.10
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
create-issues: false
Run a quick scan on the repository and create issues for all identified vulnerabilities.
on:
push:
paths-ignore:
- "README.md"
schedule:
- cron: 15 14 * * 6
jobs:
veracode-sca-task:
runs-on: ubuntu-latest
name: Scan repository with Veracode SCA
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Veracode SCA
env:
SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
uses: veracode/veracode-sca@v2.1.10
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
quick: true
create-issues: true
The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use ncc
to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply
ncc build ./src/action.ts