GitHub Action
Veracode Static Analysis Pipeline Scan and SARIF import
This action has a workflow which initiates a Veracode Static Analyis Pipeline Scan and takes the Veracode pipeline scan JSON result file as an input and transforms it to a SARIF format.
Add the -jo true
to your Pipeline Scan command to generate the JSON result file. See details for the other pipeline scan attributes.
If your GitHub account allows code scanning alerts, you can then upload the sarif
file to show the scan findings.
Run a pipeline scan of your application code within your GitHub development pipeline. The action also converts the scan results to a Static Analysis Results Interchange Format (SARIF) file and imports them as code-scanning alerts. To view the scan results, in your GitHub project, select Security > Code scanning alerts.
To configure this action, edit the settings in the provided /workflows/main.yml file. For example, if you do not want the action to convert the scan results from JSON format to SARIF format and import them into GitHub, you can remove or comment out those settings.
Required The path to the pipeline json result file.
Default value | "results.json" |
---|
Optional The path to the SARIF format result file.
Default value | "veracode-results.sarif" |
---|
Optional In some compilations, the path representation is not the same as the repository root folder. In order to add the ability to navigate back from the scanning issue to the file in the repository, a base path to the source is required. The input format is regex base ("[search pattern]:[replace with pattern]"
).
Default value | "" |
---|
WARNING
The 'finding-rule-level' input is deprecated and will be removed in a future release.
It will be overwritten witten with 4:3:0
This setting is not needed anymore as GitHub as introduced granular control over the severity of findings
Please find more informarion here: https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/#about-security-severity-levels
Optional The conversion rule from Veracode finding levels to Github levels.
- Veracode levels: 5 =
Very High
, 4 =High
, 3 =Medium
, 2 =Low
, 1 =Very Low
, 0 =informational
. - GitHub levels:
error
,warning
,note
.
Example values:
- "4:3:0" =>
High
andVery high
will show aserror
, Medium aswarning
and the rest asnote
- "3:2:1" =>
Medium
and above will show aserror
,Low
aswarning
,Very Low
asnote
, andinformational
will not show at all
Note: Only error
level will fail pull request check
Default value | "4:3:0" |
---|
results_to_sarif:
needs: pipeline_scan
runs-on: ubuntu-latest
name: import pipeline results to sarif
steps:
- name: Convert pipeline scan output to SARIF format
id: convert
uses: Veracode/[email protected]
with:
pipeline-results-json: results.json
output-results-sarif: veracode-results.sarif
source-base-path-1: "^com/veracode:src/main/java/com/veracode"
source-base-path-2: "^WEB-INF:src/main/webapp/WEB-INF"
- name: upload sarif file to repository
uses: github/codeql-action/upload-sarif@v2
with: # Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
ncc build src/action.ts