How to Run Veracode SAST Scan in Local Environment

Running a Veracode SAST scan locally: Step-by-Step guide.

May 16, 2025

By Jayanthi Kuttikot Pulleri

Integrating Veracode SAST for Proactive Code Security

Static Application Security Testing (SAST) plays a vital role in detecting vulnerabilities within your application's source code, helping to ensure security compliance and address risks early in the development process. Veracode SAST offers an automated solution for analyzing source code, binaries, and dependencies to identify potential security flaws. By integrating Veracode SAST into your local environment, you can proactively secure your applications and ensure compliance with security best practices before deployment.

Run Veracode SAST Scan

Follow the steps to do a Veracode SAST scan in the local environment

  1. Download the pipeline-scan from the location below
Invoke-WebRequest -Uri "https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip" -OutFile "pipeline-scan.zip"
  1. Unzip the above downloaded file. Create a folder named veracode in your project directory. Place the pipeline-scan.jar inside the folder.
  2. Compress the files that should be scanned using the command below.
Compress-Archive -Path "your-project-path/*" -DestinationPath "your-project.zip" -Force
  1. Run the scan. Please ensure that the pipeline-scan.jar file is inside the veracode folder. Please provide your veracode api id and key in vid and vkey
java -jar veracode/pipeline-scan.jar `
  -f your-project.zip `
  -vid "your_api_key_id" `
  -vkey "your_api_secret_key" `
  -p "Your-Project" `
  -fs "High,Very High,Medium,Low"
  1. In the terminal, you will see a list of issues and a final status of whether the scan was a success or failure.

Console output showing FAILURE: Found 33 issues!

Other Operations

To perform additional operations, such as retrieving the build list or deleting builds, you can use the Java API wrapper. The list of actions it can perform is listed in https://docs.veracode.com/r/c_wrapper_simple_actions

  1. You can download the Java API wrapper from https://docs.veracode.com/r/t_working_with_java_wrapper

  2. Unzip the file and place the VeracodeJavaAPI in the veracode folder created above

  3. Run the following command to get information like the build list

java -jar veracode/VeracodeJavaAPI.jar 
-action getbuildlist 
-appid "your-app-id"
-vid "your_api_key_id" 
-vkey "your_api_secret_key"
  1. You can perform other actions, which are listed in this document https://docs.veracode.com/r/c_wrapper_simple_actions

Benefits of Running Veracode SAST Scans Locally

In conclusion, running a Veracode SAST scan locally provides valuable insights into potential security vulnerabilities within your codebase. By analyzing the results, prioritizing critical issues, and implementing necessary fixes, developers can enhance the security and robustness of their applications before deployment. Regular local scans help maintain code quality, reduce security risks, and ensure compliance with industry best practices.

An image of Fishtank Consulting employee Jayanthi Kuttikot Pulleri

Jayanthi Kuttikot Pulleri

Sitecore Developer

Jayanthi brings over a decade of dedicated experience in software development, specializing in crafting, enhancing, and overseeing Sitecore-based web applications. Throughout her journey, she has been deeply involved in all stages of the development lifecycle, from initial design and coding to ongoing maintenance and team management.

These are some related articles

Grassy mountainscape with sun and blue skies

How to Run Veracode SAST Scan in Local Environment

May 16, 2025

Landscape image of a lake in a forest in the mountains

How to Manage Sitecore JSS Component Development with a Sitecore and Frontend Developer

May 16, 2025

Grassy mountainscape with sun and blue skies

Debugging Default Headless Rendering Variant in Sitecore XM Cloud

May 15, 2025

Cloudy skies surrounding a mountain reflected in a lake

The Future of Complex JSS Forms: New React 19 Hooks

May 8, 2025