Reading time: 3 min read

How to Run Veracode SAST Scan in Local Environment

Running a Veracode SAST scan locally: Step-by-Step guide.

Integrating Veracode SAST for Proactive Code Security

Static Application Security Testing (SAST) plays a vital role in detecting vulnerabilities within your application's source code, helping to ensure security compliance and address risks early in the development process. Veracode SAST offers an automated solution for analyzing source code, binaries, and dependencies to identify potential security flaws. By integrating Veracode SAST into your local environment, you can proactively secure your applications and ensure compliance with security best practices before deployment.

Run Veracode SAST Scan

Follow the steps to do a Veracode SAST scan in the local environment

  1. Download the pipeline-scan from the location below
Invoke-WebRequest -Uri "https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip" -OutFile "pipeline-scan.zip"
  1. Unzip the above downloaded file. Create a folder named veracode in your project directory. Place the pipeline-scan.jar inside the folder.
  2. Compress the files that should be scanned using the command below.
Compress-Archive -Path "your-project-path/*" -DestinationPath "your-project.zip" -Force
  1. Run the scan. Please ensure that the pipeline-scan.jar file is inside the veracode folder. Please provide your veracode api id and key in vid and vkey
java -jar veracode/pipeline-scan.jar `
  -f your-project.zip `
  -vid "your_api_key_id" `
  -vkey "your_api_secret_key" `
  -p "Your-Project" `
  -fs "High,Very High,Medium,Low"
  1. In the terminal, you will see a list of issues and a final status of whether the scan was a success or failure.

Console output showing FAILURE: Found 33 issues!

Other Operations

To perform additional operations, such as retrieving the build list or deleting builds, you can use the Java API wrapper. The list of actions it can perform is listed in https://docs.veracode.com/r/c_wrapper_simple_actions

  1. You can download the Java API wrapper from https://docs.veracode.com/r/t_working_with_java_wrapper

  2. Unzip the file and place the VeracodeJavaAPI in the veracode folder created above

  3. Run the following command to get information like the build list

java -jar veracode/VeracodeJavaAPI.jar 
-action getbuildlist 
-appid "your-app-id"
-vid "your_api_key_id" 
-vkey "your_api_secret_key"
  1. You can perform other actions, which are listed in this document https://docs.veracode.com/r/c_wrapper_simple_actions

Benefits of Running Veracode SAST Scans Locally

In conclusion, running a Veracode SAST scan locally provides valuable insights into potential security vulnerabilities within your codebase. By analyzing the results, prioritizing critical issues, and implementing necessary fixes, developers can enhance the security and robustness of their applications before deployment. Regular local scans help maintain code quality, reduce security risks, and ensure compliance with industry best practices.

Related Articles

Sitecore

How to Fix Next.js Router Query String in Sitecore JSS

Remove that annoying _site that is appended to your Sitecore URLs.

1 min read
Sitecore

A Comprehensive Guide to Securing Static Assets while Maintaining Sitecore Integration

Mastering CORS in Next.js + Sitecore ensures secure static assets, safe CMS integration, and audit-ready deployments—set it up right the first time.

1 min read