easy_sast is a docker container for use in integration pipelines to submit an application's build artifacts to a static analysis tool. This has been developed in a way to serve as a build pattern for other containers meant to facilitate similar functionality, and natively integrates with Veracode's Static Analysis product.
easy_sast is available from Docker Hub by running docker pull seiso/easy_sast
For advanced usage and more information, see the wiki.
This code base was developed in line with the Rugged Manifesto. As such, it is:
- Simple to use: With workflow options and configurations that intuitively understand DevOps.
- Easily configurable: Practical defaults, and numerous configuration options such as a config file, environment variables, and/or CLI arguments.
- Clear and understandable code: Regular use of type hints, keyword arguments, and a normalized code style make understanding the code intent easy.
- Engineered to be robust: Error handling, automated security validation, and pervasive validation.
- 100% tested: 100% code coverage for unit tests on all commits.
- 100% consistently formatted: Linting of Docker, make, YAML, and Python on all commits.
In order to build and run this project, we recommend you have Docker 18.09 or newer, find, git, GNU make, and Python 3.
In order to integrate with Veracode, you will need to:
-
Be able to produce a debug build of your application.
-
Have a valid account and license to use Veracode's SAST product APIs outlined below.
-
Have an application in Veracode's Analysis Center that you intend to use.
-
Export your Veracode credentials as environment variables:
export VERACODE_API_KEY_ID=EXAMPLE export VERACODE_API_KEY_SECRET=EXAMPLE
- Build the docker image:
make build
- Run the docker container, passing it your API credentials and mounting the directory containing your build artifacts into /build:
docker run --env-file <(env | grep ^VERACODE_API_KEY_) -v "/path/to/build":/build seiso/easy_sast:latest
Additional details and configuration options are outlined in usage and on the wiki.
usage: main.py [-h] [--config-file CONFIG_FILE] [--version]
[--debug | --verbose]
optional arguments:
-h, --help show this help message and exit
--config-file CONFIG_FILE specify a config file
--version show program's version number and exit
--debug enable debug level logging
--verbose enable info level loggingThere are two recommended methods to pass information into easy_sast at runtime:
- Pass environment variables to
docker runusing--env-file. For example:docker run --env-file <(env | grep VERACODE_API_KEY_) -v "/path/to/build":/build seiso/easy_sast:latest
- You may also want to pass an argument to the Python in the container by appending your arguments to
docker run. For example:docker run -e VERACODE_API_KEY_ID=EXAMPLE -e VERACODE_API_KEY_SECRET=EXAMPLE seiso/easy_sast:latest --debug
Want to learn about more advanced usage, such as optimizing SAST for pull requests? Check out the wiki.
Note that at minimum your Veracode user must have permission to access the upload API and its getapplist.do endpoint.
If you'd like to see support for more Veracode APIs or workflows to interact with those APIs, please open an issue and let us know!
- Fork the repository
- Create a feature branch via
git checkout -b feature/description - Make your changes
- Commit your changes via
git commit -am 'Summarize the changes here' - Create a new pull request (how-to)