Skip to content

A quick and dirty example of using Veracode APIs to scan a couple of files.

License

Notifications You must be signed in to change notification settings

relaxnow/veracode-quick-scan

Repository files navigation

Veracode Quick Scan

A quick and dirty example of using Veracode APIs to scan a couple of files. This works best with files from applications written in dynamic languages like PHP or JavaScript.

Example Usage in Bash (Unix systems):

$ export VCUID=my_veracode_api_username
$ export VCPWD=my_veracode_api_password
$ veracode-quick-scan quickscan --appid=288128 --sandboxid=1004849 MyProject/index.php 
Starting upload
Starting prescan with autoscan
Waiting on results... (BUILD: 3549203)
Waiting on results... (BUILD: 3549203)
Waiting on results... (BUILD: 3549203)
Waiting on results... (BUILD: 3549203)
Waiting on results... (BUILD: 3549203)
Very High | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | index.php:366
Very High | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | index.php:385
Medium | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | index.php:318
Medium | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | index.php:319
Medium | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | index.php:407
Medium | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | index.php:496
Scan took 00:03:44. Total number of flaws found: 6

Please note that this is not a replacement for a full Static Analysis scan (which will give higher quality results), nor for Veracode Greenlight (proper IDE support).

Requirements

To find the appid and sandboxid:

  1. Go to Veracode Platform.
  2. Go to "My Portfolio" and then "Applications".
  3. Click on the application link.
  4. Go to "Sandboxes" in the menu on the left hand side.
  5. Click on the sandbox you'd like to use for Quick Scan or create a new sandbox.
  6. Make sure you have "Sandbox Scans" selected in the menu on the left hand side and the URL looks like this: https://analysiscenter.veracode.com/auth/index.jsp#SandboxView:123:456:789
  7. The appid is the second part ("456") in from this URL, the sandboxid is third party ("789") from this URL.

Download

Go to Releases: https://github.com/relaxnow/veracode-quick-scan/releases

About

A quick and dirty example of using Veracode APIs to scan a couple of files.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages