Skip to content

SDEVX-9687: Enable debug and IAC scan issue #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shailesh-veracode merged 3 commits into from
Jan 22, 2026
+62 −78
Merged

SDEVX-9687: Enable debug and IAC scan issue #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ca63271
SDEVX-9687: Enable debug and IAC scan issue
santhoshVC92 Jan 13, 2026
ae8d751
iac debug log changes and review comments
santhoshVC92 Jan 15, 2026
82f0623
removed the build step for IAC scan
santhoshVC92 Jan 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions .gitlab-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,15 @@ Auto Package:
- git -C ${PROJECT_PATH} checkout ${COMMIT_SHA}
- cd $(basename -s .git ${CLONE_URL})
- cd ../../
- ${CLI_FOLDER}/veracode package --source clonePath/* --output $ARTIFACTS_FOLDER --trust --debug
- |
if [ "$DEBUG" = "true" ]; then
${CLI_FOLDER}/veracode package --source clonePath/* --output "$ARTIFACTS_FOLDER" --trust --verbose
else
${CLI_FOLDER}/veracode package --source clonePath/* --output "$ARTIFACTS_FOLDER" --trust
fi
<<: *artifacts_template
rules:
- if: '$EXECUTE_PIPELINE == "true" || $EXECUTE_POLICY == "true" || $EXECUTE_IAC == "true" || $EXECUTE_SANDBOX == "true"'
- if: '$EXECUTE_PIPELINE == "true" || $EXECUTE_POLICY == "true" || $EXECUTE_SANDBOX == "true"'
when: always

.veracode_scan: &veracode_scan
Expand Down
73 changes: 20 additions & 53 deletions utility/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,12 +402,10 @@ function iacResult(scanResult){
let IaCVulnerabilities = extractIaCVulnerabilities(scanResult);
let IaCMisconfigurations = extractIaCMisconfigurations(scanResult);
let IaCSecrets = extractIaCSecrets(scanResult);
let IaCPolicyResults = extractIaCPolicyResults(scanResult);

output += IaCVulnerabilities;
output += IaCMisconfigurations;
output += IaCSecrets;
output += IaCPolicyResults;

return output;
}
Expand All @@ -431,16 +429,17 @@ function extractIaCVulnerabilities(scanResult){
INSTALLED : result.artifact.version,
FIXED_IN : result.vulnerability.fix.versions[0] || "N/A",
TYPE : result.artifact.type,
MESSAGE : result.vulnerability.description
}));

formattedVulnerabilities.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);

output+= '<details>\n'+
'<summary>Vulnerability Scan Details</summary>\n\n'+
'| Severity | Name | Vulnerability | Installed | Fixed-In | Type |\n' +
'| -------- | -------- | ------------- | --------- | --------------| ----------- |\n';
'| Severity | Name | Vulnerability | Installed | Fixed-In | Type | Message |\n' +
'| -------- | -------- | ------------- | --------- | --------------| ----------- | -------------- |\n';
formattedVulnerabilities.forEach((result) => {
output += `| ${result.SEVERITY} | ${result.NAME} | ${result.VULNERABILITY} | ${result.INSTALLED} | ${result["FIXED_IN"]} | ${result.TYPE} |\n`;
output += `| ${result.SEVERITY} | ${result.NAME} | ${result.VULNERABILITY} | ${result.INSTALLED} | ${result["FIXED_IN"]} | ${result.TYPE} | ${result.MESSAGE} |\n`;
});
output += '\n</details>\n';

Expand All @@ -449,9 +448,9 @@ function extractIaCVulnerabilities(scanResult){

function extractIaCMisconfigurations(scanResults) {
let output = "";
const Misconfigurations = scanResults?.configs?.Results?.[0]?.Misconfigurations;
const Misconfigurations = scanResults?.configs;

if (!Misconfigurations || Misconfigurations.length === 0) {
if (Misconfigurations.length === 0) {
output += "\n<details>\n";
output += "<summary>Misconfiguration Details</summary>\n\n";
output += "No Misconfigurations found.\n";
Expand All @@ -464,19 +463,21 @@ function extractIaCMisconfigurations(scanResults) {
TITLE : result.Title,
ID : result.ID,
PROVIDER : result.CauseMetadata.Provider,
MESSAGE : result.Message === "No issues found" ? "-" : result.Message
}));
formattedData.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);

output += '\n<details>\n' +
'<summary>Misconfiguration Details</summary>\n\n' +
'| SEVERITY | TITLE | ID | PROVIDER |\n' +
'| ------- | -------- | ----- | ---------|\n';
'| SEVERITY | TITLE | ID | PROVIDER | MESSAGE |\n' +
'| ------- | -------- | ----- | --------- | -------------- |\n';
formattedData.forEach((result) => {
output +=
`| ${result.SEVERITY} ` +
`| ${result.TITLE} ` +
`| ${result.ID} ` +
`| Line ${result.PROVIDER} |\n`;
`| Line ${result.PROVIDER} `+
`| ${result.MESSAGE} |\n`
});
output += '\n</details>\n';

Expand All @@ -485,9 +486,9 @@ function extractIaCMisconfigurations(scanResults) {

function extractIaCSecrets(scanResult){
let output = "";
const IacSecreteData = scanResult?.secrets?.Results || [];
const IacSecreteData = scanResult?.secrets || [];

if(!IacSecreteData || IacSecreteData.length == 0 ){
if(IacSecreteData.length == 0){
output += "\n<details>\n";
output += "<summary>Secrets Scan Details</summary>\n";
output += "No Secrets found.\n";
Expand All @@ -496,59 +497,25 @@ function extractIaCSecrets(scanResult){
}

const formattedIacSecret = IacSecreteData.map((result) => ({
SEVERITY : result.Secrets[0].Severity,
SECRET_TYPE : result.Secrets[0].Title,
FILE : result.Target
SEVERITY : result.Severity,
SECRET_TYPE : result.Title,
FILE : result.Target,
MESSAGE : result.Match
}));
formattedIacSecret.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);

output+= '<details>\n'+
'<summary>Secrets Scan Details</summary>\n\n'+
'| Severity | SECRET_TYPE | FILE |\n' +
'| -------- | ----------- | -------------|\n';
'| Severity | SECRET_TYPE | FILE | MESSAGE |\n' +
'| -------- | ----------- | ------------- | ----------------- |\n';
formattedIacSecret.forEach((result) => {
output += `| ${result.SEVERITY} | ${result.SECRET_TYPE} | ${result.FILE} |\n`;
output += `| ${result.SEVERITY} | ${result.SECRET_TYPE} | ${result.FILE} | ${result.MESSAGE} |\n`;
});
output += '\n</details>\n';

return output;
}

function extractIaCPolicyResults(scanResult){
let output = "";
const IacPolicyResult = scanResult?.["policy-results"][0]?.failures || [];

if(!IacPolicyResult|| IacPolicyResult.length == 0 ){
output += "<details>\n";
output += "<summary>Policy Evaluation Details</summary>\n";
output += "No Policy found.\n";
output += "</details>\n";
return output;
}

const formattedIacPolicyResult = IacPolicyResult.map((result) => {
const severityMatch = result.msg.match(/Found (Critical|High|Medium|Low|Very_low|Informational)/);
const ghsaMatch = result.msg.match(/GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}/);
return {
SEVERITY : severityMatch ? severityMatch[1] : "Unknown",
VULNERABILITY : ghsaMatch ? ghsaMatch[0] : "Unknown",
MESSAGE : result.msg // Or extract this from the message if it varies
};
});
formattedIacPolicyResult.sort((a, b) => severityRank[b.SEVERITY] - severityRank[a.SEVERITY]);

output+= '<details>\n'+
'<summary>Policy Evaluation Details</summary>\n\n'+
'| SEVERITY | VULNERABILITY | MESSAGE |\n' +
'| -------- | ----------- | -------------|\n';
formattedIacPolicyResult.forEach((result) => {
output += `| ${result.SEVERITY} | ${result.VULNERABILITY} | ${result.MESSAGE} |\n`;
});
output += '\n</details>';

return output;
}

module.exports = {
processStaticResultsXML,
attacheResult,
Expand Down
8 changes: 5 additions & 3 deletions veracode-scans/iac-scan/iac-scan.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ const { exitOnFailure, updateErrorMessage, uploadArtifact } = require('../../uti
const execa = require('execa');
const displayScanResult = require('../../displayScanResult');

async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage) {
async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, debug) {
const veracodeDir = path.dirname(require.main.filename);
const veracodeCliPath = path.resolve(veracodeDir, 'veracode-cli');
const veracodeExecutable = path.join(veracodeCliPath, 'veracode');
Expand All @@ -28,7 +28,7 @@ async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, use
'--type', 'directory',
'--format', 'json',
'--output', 'results.json',
'--verbose'
...(debug === "true" ? ['--verbose'] : [])
],
{
reject: false,
Expand All @@ -47,10 +47,12 @@ async function iacScan(sourceBranch, breakBuildOnFinding, breakBuildOnError, use
'--type', 'directory',
'--format', 'table',
'--output', 'results.txt',
'--verbose'
...(debug === "true" ? ['--verbose'] : [])
],
{
reject: false,
stderr: 'inherit',
stdout: 'inherit',
env: {
VERACODE_API_KEY_ID: process.env.VERACODE_API_ID,
VERACODE_API_KEY_SECRET: process.env.VERACODE_API_KEY
Expand Down
11 changes: 6 additions & 5 deletions veracode-scans/pipeline-scan/pipeline.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ const pipelineScanIssue = require('../../veracode-issues/pipelineScanIssue');
const displayScanResult = require('../../displayScanResult');
const { execSync } = require('child_process');

async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue) {
async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws, breakBuildOnFinding, breakBuildOnError, userErrorMessage, policyName, breakBuildOnInvalidPolicy, createIssue, debug) {
const veracodeArtifactsDir = path.join(__dirname, '../../veracode-artifacts');

try {
Expand All @@ -30,7 +30,7 @@ async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws,
const artifacts = await fs.promises.readdir(veracodeArtifactsDir);
const scanResults = await Promise.all(
artifacts.map((artifact) =>
executePipelineScan(veracodeArtifactsDir, artifact, apiId, apiKey)
executePipelineScan(veracodeArtifactsDir, artifact, apiId, apiKey, debug)
)
);

Expand Down Expand Up @@ -122,15 +122,16 @@ async function pipelineScan(apiId, apiKey, appProfileName, filterMitigatedFlaws,
}
}

async function executePipelineScan(veracodeArtifactsDir, artifactName, apiId, apiKey) {
async function executePipelineScan(veracodeArtifactsDir, artifactName, apiId, apiKey, debug) {
const pipelineResultFileName = `${artifactName}-` + appConfig().pipelineScanFile;
const filteredResultFileName = `${artifactName}-` + appConfig().filteredScanFile;

try {
const artifactFilePath = path.join(veracodeArtifactsDir, artifactName);
const pipelineScanJarPath = path.join(__dirname, 'pipeline-scan.jar');
const pipelineScanCommand = `java -jar ${pipelineScanJarPath} -vid ${apiId} -vkey ${apiKey} -f ${artifactFilePath} -jf ${pipelineResultFileName} -fjf ${filteredResultFileName}`;

let pipelineScanCommand = `java -jar ${pipelineScanJarPath} -vid ${apiId} -vkey ${apiKey} -f ${artifactFilePath} -jf ${pipelineResultFileName} -fjf ${filteredResultFileName}`;
if(debug === "true")
pipelineScanCommand += ' -V true';
execSync(pipelineScanCommand, { stdio: 'inherit' });
return { artifact: artifactName, success: true, results: [] };
} catch (error) {
Expand Down
11 changes: 7 additions & 4 deletions veracode-scans/policy-scan/policy.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ const policyScanIssue = require('../../veracode-issues/policyScanIssue');
const displayScanResult = require('../../displayScanResult');
const exitStatus = true;

async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, createprofile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl) {
async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, createprofile, breakBuildOnFinding, breakBuildOnError, userErrorMessage, breakBuildOnInvalidPolicy, createIssue, repoUrl, debug) {
try {
const invalidPolicy = await veracodePolicyVerification(apiId, apiKey, policyName, breakBuildOnInvalidPolicy);
if (invalidPolicy) {
Expand All @@ -29,7 +29,7 @@ async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, cr
}

try {
const result = await triggerPolicyScan(apiId, apiKey, policyResult, resApp, veracodeArtifactsDir, buildId, breakBuildOnError, userErrorMessage, createIssue);
const result = await triggerPolicyScan(apiId, apiKey, policyResult, resApp, veracodeArtifactsDir, buildId, breakBuildOnError, userErrorMessage, createIssue, debug);
if (result.status === STATUS.Findings) {
exitOnFailure(breakBuildOnFinding);
}
Expand All @@ -48,10 +48,12 @@ async function policyScan(apiId, apiKey, appName, buildId, policyName, teams, cr
}
}

async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFilePath, buildId, breakBuildOnError, userErrorMessage, createIssue) {
async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFilePath, buildId, breakBuildOnError, userErrorMessage, createIssue, debug) {
console.log(`Veracode: Policy scan executing...`);
// let policyScanCommand = `java -jar ${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar -action UploadAndScanByAppId -vid ${apiId} -vkey ${apiKey} -appid ${resApp?.appId} -filepath ${artifactFilePath} -version "${buildId}" -scanpollinginterval 30 - include -autoscan false -scanallnonfataltoplevelmodules false`;
let debugCommand = `java -jar ${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar -action UploadAndScanByAppId -vid *** -vkey *** -appid ${resApp?.appId} -filepath ${artifactFilePath} -version "${buildId}" -scanpollinginterval 30 - include -autoscan true -scanallnonfataltoplevelmodules true -includenewmodules true -deleteincompletescan 2`;
if(debug === "true")
debugCommand += ' -debug true';
let scan_id = '';
try {
console.log(`Command to execute the policy scan : ${debugCommand}`);
Expand All @@ -68,7 +70,8 @@ async function triggerPolicyScan(apiId, apiKey, policyResult, resApp, artifactFi
'-autoscan', 'true',
'-scanallnonfataltoplevelmodules', 'true',
'-includenewmodules', 'true',
'-deleteincompletescan', '2'
'-deleteincompletescan', '2',
...(debug === "true" ? ['-debug', 'true'] : [])
];

const { stdout } = await execa('java', args);
Expand Down
9 changes: 5 additions & 4 deletions veracode-scans/policy-scan/sandbox.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ const { getVeracodeApplication, veracodePolicyVerification } = require('../../ut
const execa = require('execa');
const { exitOnFailure } = require('../../utility/utils');

async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, createprofile, buildId, appName, breakBuildOnInvalidPolicy, repoUrl) {
async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, createprofile, buildId, appName, breakBuildOnInvalidPolicy, repoUrl, debug) {
let resApp;
try {
const invalidPolicy = await veracodePolicyVerification(apiId, apiKey, policyName, breakBuildOnInvalidPolicy);
Expand All @@ -32,14 +32,14 @@ async function sandboxScan(apiId, apiKey, sourceBranch, policyName, teams, creat
}

try {
triggerSandboxScan(apiId, apiKey, resApp, veracodeArtifactsDir, sourceBranch, buildId);
triggerSandboxScan(apiId, apiKey, resApp, veracodeArtifactsDir, sourceBranch, buildId, debug);
} catch (error) {
console.log(`Error while executing sandbox scan on ${sourceBranch} branch: `, error);
return;
}
}

async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourceBranch, buildId) {
async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourceBranch, buildId, debug) {
const sandboxName = `${veracodeConfig().sandboxScanName}${sourceBranch}`;
const args = [
'-jar', `${__dirname}/api-wrapper-LATEST/VeracodeJavaAPI.jar`,
Expand All @@ -56,7 +56,8 @@ async function triggerSandboxScan(apiId, apiKey, resApp, artifactFilePath, sourc
'-autoscan', 'true',
'-scanallnonfataltoplevelmodules', 'true',
'-includenewmodules', 'true',
'-deleteincompletescan', '2'
'-deleteincompletescan', '2',
...(debug === "true" ? ['-debug', 'true'] : [])
];

try {
Expand Down
6 changes: 4 additions & 2 deletions veracode-scans/sca-scan/sca-scan.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@ const { attacheResult, exitOnFailure, updateErrorMessage } = require('../../util
const scaScanIssue = require('../../veracode-issues/scaScanIssue');
const displayScanResult = require('../../displayScanResult');

async function scaScan(clone_url, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue) {
async function scaScan(clone_url, scaAgenToken, scaUrl, sourceBranch, breakBuildOnFinding, breakBuildOnError, userErrorMessage, createIssue, debug) {
try {
const command = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --recursive --allow-dirty`;
let command = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --recursive --allow-dirty`;
if(debug === "true")
command += ' --debug';
const output = execSync(command, { encoding: 'utf-8', env: { ...process.env, SRCCLR_API_TOKEN: scaAgenToken, SRCCLR_API_URL: scaUrl }, maxBuffer: 1024 * 1024 * 10 });
const jsonCommand = `curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan --url ${clone_url} --ref ${sourceBranch} --json=scaScan.json --recursive --allow-dirty`;
const jsonOutput = execSync(jsonCommand, { encoding: 'utf-8', env: { ...process.env, SRCCLR_API_TOKEN: scaAgenToken, SRCCLR_API_URL: scaUrl }, maxBuffer: 1024 * 1024 * 10 });
Expand Down
2 changes: 2 additions & 0 deletions veracode.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
debug:
false
veracode_static_scan:
push:
trigger: true
Expand Down
Loading