security-scan-invoker
Advanced tools
Submits a Veracode scan if able. Will perform pre-scan checks to determine the
A python module to submit and monitor scan statuses for static security scanning platforms
Install Make
For Mac users, you can use Homebrew
brew install make
For Windows users, you can use Chocolatey
choco install make
Setup Virtual Environment
make init
source venv/bin/activate.\venv\Scripts\activateYou’ll know the venv is activated since you’ll see (venv) in the terminal
deactivate in the terminalRun Tox from the Makefile
make verify
Auto format Python files to PEP8
make fix
Clean up Python virtual environments
make clean
Explicitly tested and supported Python versions can be found in the tox.ini file, but generally this will be the latest 3 versions of Python.
GitHub Action
- name: Veracode upload for analysis
uses: JohnDeere/security-scan-invoker@{VERSION}
with:
veracode_secret_id: ${{ secrets.VERACODE_ACCESS_KEY_ID }}
veracode_secret_key: ${{ secrets.VERACODE_SECRET_ACCESS_KEY }}
package_to_scan: veracode-scanner.zip
veracode_project_name: "Your_Project_name"
CLI usage:
security_scan_invoker --vid <ID> --vkey <KEY> --appname <APPNAME> --filepath <FILEPATH> --version <VERSION>
CLI with optional arguments included:
security_scan_invoker --vid <ID> --vkey <KEY> --appname <APPNAME> --filepath <FILEPATH> --version <VERSION> --allow_rescan <True> --select_previous_modules <True>
Python module import usage:
from security_scan_invoker.main import run_veracode_scanner_app
from security_scan_invoker.scanner_args import ScannerArgs
args = {
"vid": "<VID>",
"vkey": "<VKEY>",
"appname": "<APPNAME>",
"filepath": "<FILEPATH>",
"version": "<UNIQUE_VERSION>",
"allow_rescan": "<ALLOW_RESCAN>",
"select_previous_modules": "<SELECT_PREVIOUS_MODULES>",
}
exit_code: int = run_veracode_scanner_app(ScannerArgs(args))
Note: version must be unique. One possible way to maintain uniqueness is by setting the
version to commit hash + job number.
| Previous scan status | New version? | ALLOW_RESCAN | Action | Build status |
|---|---|---|---|---|
| Results Ready | Y | N/A | Submit new scan | Based on submit response |
| Results Ready | N | false | Skip scan | Pass |
| Results Ready | N | true | Submit Rescan | Based on submit response |
| Scan in Progress | Y/N | N/A | Skip scan | Pass |
| Pre-Scan Submitted | Y/N | N/A | Skip scan | Pass |
| Pre-Scan Success | Y/N | N/A | Skip scan | Pass |
| Not Submitted to Engine | Y/N | N/A | Skip scan | Pass |
| Submitted to Engine | Y/N | N/A | Skip scan | Pass |
| Pending Internal Review | Y/N | N/A | Skip scan | Pass |
| Incomplete | Y | N/A | Delete Previous Scan and Submit New Scan | Based on submit response |
| Incomplete | N | N/A | Fail build | Fail |
| Scan Canceled | Y | N/A | Delete Previous Scan and Submit New Scan | Based on submit response |
| Scan Canceled | N | N/A | Fail build | Fail |
| No Modules Defined | Y | N/A | Delete Previous Scan and Submit New Scan | Based on submit response |
| No Modules Defined | N | N/A | Fail build | Fail |
| Pre-scan Canceled | Y | N/A | Delete Previous Scan and Submit New Scan | Based on submit response |
| Pre-scan Canceled | N | N/A | Fail build | Fail |
| Pre-scan Failed | Y | N/A | Delete Previous Scan and Submit New Scan | Based on submit response |
| Pre-scan Failed | N | N/A | Fail build | Fail |
Q: I got an error saying ERROR: Get app list returned status_code: 401
A: This means the passed API credentials don't have access to the Veracode App Profile
This could be due to any of the following:
Note: Sometimes Veracode returns 401 errors for unknown reasons. This is rare, but may coincide with a problem in their platform. Check the Veracode status page to check the health of their services.
Q: I got an error
saying ERROR: Can't find app called ______ in any of the _____ apps associated with your ID and Key
A: This means that your Veracode credentials were recognized by Veracode but the app wasn't in the list of apps tied to your credentials.
This could be due to any of the following:
Q: I got an error saying ERROR: The following build status is not handled: ______
A: This means the previous scan failed and is in a state that needs investigation. It is not handled automatically by veracode-scanner. Please create an issue on this repository.
Q: I got an error
saying ERROR: You are trying to scan version ______, which is the same version as the previous scan, and it is in a bad state: ______
A: This means that you are re-executing a scan with the same commit as the previous scan, which is in a bad state. Follow these steps:
Q: I got an error
saying ERROR: We found an issue in deleting the previous scan, which is in a bad state
A: This means veracode-scanner failed to automatically delete the previous scan. Ensure that
your Veracode credentials have Delete Scans access.
Q: I found a bug. What do I do?
A: Submit bug reports and feature requests as an issue on the veracode-scanner repo
FAQs
Submits a Veracode scan if able. Will perform pre-scan checks to determine the
We found that security-scan-invoker demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.
Security News
vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.