Veracode is a leading provider of application security testing products. Veracode recently added support for Apex, Visualforce, Lightning Web Components and Aura components to its static code analysis product.
Veracode provides three solutions for scanning code: an IDE plugin called Greenlight, a development pipeline option called Pipeline Scan, and a full scan of the code based called Upload and Scan.
At the time of writing this post, Salesforce scans are only supported with the Upload and Scan solution. In this post we will look at how to initiate a new scan automatically as part of a GitHub Actions workflow.
Prerequisites
- Salesforce project managed in source control with access to a CI/CD tool. The example uses a project on GitHub with GitHub Actions
- Veracode account
Step 1: Set up Veracode
Log into Veracode and create a new application.
You will also need to generate API credentials to use for setting up the integration with GitHub Actions. Save your API key and secret
Step 2: Test the Scan Manually
Veracode supports several Saleforce file types. See the Apex language support page for the most current list
The key requirement for running the scan is to package the files in the way that the Veracode scanner is expecting them. This case, all of the files should be in a single directory that is zipped up.
Copy some files from your Salesforce project to a new folder on your local computer and zip the folder. In Veracode, navigate to your application and start a new scan with auto-scan option set to ‘off’. Click the ‘Upload Files’ button and upload the zipped folder you just created.
Click through the pre-scan process and finally click the ‘Start Scan’ button.
Once the scan completes, you will be able to view the detailed report from the scan results page.
Step 3: Integrate Scans into the Development Process
Depending on your requirements, you may want to automatically scan files that are being changed or added with new features. In this example, we will use GitHub Actions to upload and run a Veracode scan.
First we need to add the API key and secret to the GitHub project so that we can use them with the GitHub Action
- Create a secret for the API Id In the GitHub repository, navigate to Settings -> Secrets. Click “New repository secret”
- Name: VERACODE_API_ID
- Value: (paste value the the API Id generated in Step 1)
- Create a secret for the API Secrett
- Name: VERACODE_API_KEY
- Value: (paste value the the API secret key generated in Step 1)
- Create a secret for the application name
- Name: VERACODE_APP_Name
- Value: (paste the value of the Application Name you created in Step 1)
Next we will create a new action
name: Veracode Upload and Scan
on:
workflow_dispatch:
push:
branches:
- main
jobs:
veracode:
name: Veracode
runs-on: ubuntu-latest
steps:
# checkout main branch
- name: Checkout Main Branch
uses: actions/checkout@v2
with:
ref: main
# copy code to temp folder
- name: Prepare Code for Package
run: |
mkdir veracode-temp
if [ -d "force-app/main/default/classes" ]; then find ./force-app/main/default/classes -name '*.cls' -exec cp '{}' ${{ github.workspace }}/veracode-temp \; ; else echo "No classes"; fi;
if [ -d "force-app/main/default/triggers" ]; then find ./force-app/main/default/triggers -name '*.trigger' -exec cp '{}' ${{ github.workspace }}/veracode-temp \; ; else echo "No triggers"; fi;
if [ -d "force-app/main/default/lwc" ]; then find ./force-app/main/default/lwc -name '*.html' -o -name '*.js' -exec cp '{}' ${{ github.workspace }}/veracode-temp \; ; else echo "No lwc"; fi;
if [ -d "force-app/main/default/aura" ]; then find ./force-app/main/default/aura -name '*.cmp' -o -name '*.js' -o -name '*.app' -exec cp '{}' ${{ github.workspace }}/veracode-temp \; ; else echo "No aura"; fi;
if [ -d "force-app/main/default/pages" ]; then find ./force-app/main/default/pages -name '*.page' -exec cp '{}' ${{ github.workspace }}/veracode-temp \; ; else echo "No visualforce"; fi;
# create a zip file according to Veracode package format requirements
- name: Create Package for Veracode
run: zip -r veracode-temp/uploadandscan.zip ./veracode-temp
# Make java accessible on path so the uploadandscan action can run.
- name: Install Java
uses: actions/setup-java@v1
with:
java-version: "8"
# Copy files from repository to docker container so the next uploadandscan action can access them.
- name: Make Files Available
uses: actions/upload-artifact@v2
with:
path: ${{ github.workspace }}/veracode-temp/uploadandscan.zip # Wildcards can be used to filter the files copied into the container. See: https://github.com/actions/upload-artifact
- name: Upload and Scan
uses: veracode/veracode-uploadandscan-action@master # Run the uploadandscan action. Inputs are described here: https://github.com/marketplace/actions/veracode-upload-and-scan
with:
filepath: "./veracode-temp/uploadandscan.zip"
vid: "${{ secrets.VERACODE_API_ID }}"
vkey: "${{ secrets.VERACODE_API_KEY }}"
createsandbox: "false"
appname: "${{ secrets.VERACODE_APP_NAME }}"
scantimeout: 15
exclude: "*Test.cls" # Exclude test classes from scan
Workflow Highlights
- Runs whenever there is a push to the main branch or can be triggered manually.
- Copies files supported by Veracode to temporary directory and creates a zip file. Currently supported file types include:
- Apex classes
- Apex triggers
- Visualforce pages
- Aura components
- Lightning web components
- Note that the source location in the Prepare Code for Package step assumes sfdx format. Update the paths for lines 22-26 if you are using Metadata API format.
- Runs the scan using the secrets we added earlier.
Step 4: Review the Scan Results in Veracode
The results of Veracode’s Upload and Scan solution are only visible in the Veracode app. Login into Veracode and navigate to the application. You should see the results under the Scans section.
Resources
- Veracode Help: Overview of GitHub integrations with Veracode
- Veracode Help: Packaging Apex Applications
- Veracode Samples: Sample GitLab pipeline script
- GitHub Actions: Veracode Upload And Scan Action Documentation
- Salesforce Offer: Checkmarx Security Scan for Salesforce Projects
