Veracode Container/IaC/Secrets Scanning Action runs the Veracode-CLI as an action on any GitHub pipeline

The Container/IaC/Secrets Scanning Action is designed to be used in a CI/CD pipeline to scan a local folder, remote repository, image or archive for 3rd party library vulnerabilities, infrastrucre as code misconfigurations and stored secrets.

For more information on Pipeline Scan visit Veracode Help Center Page: https://docs.veracode.com/r/Veracode_Container_Security

Intended usage is to add a job to your CI/CD pipeline, run the scans it and returns the results.
A build can be failed upon findings, as well the action will automatically generate SBOM files in most popular formats for you. The formats are cyclonedx-xml, cyclonedx-json, spdx-tag-value, spdx-json and github.

If the action will run within a PR, it will automatically add a comment with all results to the PR. This is done for easy review and approval processes.

If the parameter fail_build is set to true, the action will fail the step upon findings. If set to false, the step will not show as failed.

The full output of the action can still be reviewed on the action run overview and on the command line output.

The tool will need some information passed to it as parameters (many are optional):

• Required

  • vid
    • the Veracode API ID
  • vkey
    • the Veracode API Secret Key
  • command
    • The command to run (scan|sbom)
    • Default is 'scan'
  • source
    • The source to be scanned. Can be a folder, can be a remote repository, can be an image name or can be an image archive name
    • Default is './'
  • format
    • Format in which to output and store the scan results. Enter one of the following values (json|table) for the scan command
    • Format in which to output and store the scan results. Enter one of the following values (cyclonedx-xml, cyclonedx-json, spdx-tag-value, spdx-json, github) for the sbom command
    • Default is 'table'
  • type
    • Which type of scan to run (image|archive|repo|directory)
    • Default is 'directory'

• Optional

  • fail_build
    • Fail the build upon findings. Takes true or false
  • debug
    • Enable heavy debug logging. Takes true or false

All examples follow the same strucutre.

The basic yml

Veracode-container_iac_secrets-scan:
    runs-on: ubuntu-latest
    name: Veracode Container/IaC/Secrets scan

    steps:
      - name: checkout
        uses: actions/checkout@v3

      - name: Veracode Container/IaC/Secrets action step
        uses: veracode/[email protected]
        with:
          vid: ${{ secrets.VID }}
          vkey: ${{ secrets.VKEY }}
          command: "scan" 
          type: "directory"
          source: "./"
          format: "json"
          debug: false
          fail_build: true

Only create SBOM

Veracode-container_iac_secrets-scan:
    runs-on: ubuntu-latest
    name: Veracode Container/IaC/Secrets scan

    steps:
      - name: checkout
        uses: actions/checkout@v3

      - name: Veracode Container/IaC/Secrets action step
        uses: veracode/[email protected]
        with:
          vid: ${{ secrets.VID }}
          vkey: ${{ secrets.VKEY }}
          command: "sbom" 
          type: "directory"
          source: "./"
          format: "cyclonedx-json"
          debug: false
          fail_build: false

The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use ncc to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply

ncc build ./src/index.ts