Veracode GitHub Integration Quickstart (EA)
This quickstart steps you through setting up and scanning with the Veracode GitHub Integration. The GitHub Integration connects your GitHub repositories to the Veracode Platform and provides a single-click solution to scan those repositories.
In the EA program, the GitHub Integration is available only for SCA (Software Composition Analysis) scans of Java and JavaScript repositories that meet the support requirements. These SCA scans currently do not build the project or a dependency graph and do not support vulnerable method detection.
Prerequisites
To complete this quickstart, you must meet the following prerequisites:
- A GitHub account with access to at least one GitHub organization.
- Veracode has enabled the GitHub Integration for your account.
- A Veracode human user account with the Security Lead role.
- Your Veracode organization is in the Commercial Region.
- If you are behind a firewall, the required domains are on your allowlist.
GitHub Integration language support matrix
This table identifies the languages, package managers, and artifacts that the GitHub Integration supports.
If the package manager artifact contains direct dependencies only, the GitHub Integration does not identify vulnerabilities and license risks in transitive dependencies.
| Language | Package Manager | Artifacts | Supported? |
|---|---|---|---|
| Java | Ant | n/a | No |
| Java | Gradle | build.gradle | No. Coming soon |
| Java | Maven | pom.xml | Yes |
| JavaScript | Bower | n/a | No |
| JavaScript | NPM | package-lock.json, or npm-shrinkwrap.json | Yes |
| JavaScript | Yarn | package.json and yarn.lock | Yes |
Clone an example repository
This quickstart uses the example repository example-java-ant to demonstrate the functionality of the GitHub Integration. This example repository is scannable Java code, and it includes security vulnerabilities that you can review in the scan results.
To ensure your GitHub organization includes a supported repository, Veracode recommends you clone example-java-ant and add it to your GitHub organization.
Sign in to the Veracode Platform
Sign in to the Veracode Platform using one of the following methods:
- If you have a new Veracode account, you received a welcome email that provides a link for activating your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
- If you have an active Veracode account, you can sign in to the Veracode Platform at
https://analysiscenter.veracode.com/.
Connect to GitHub repositories
-
In the Veracode Platform, select Scan GitHub Repos.
-
Select Connect to GitHub.
-
Read the Veracode terms and conditions and select I Accept.
-
Enter your GitHub username and password, and select Sign in.
-
Select Grant for all organizations that you want to allow
veracode, the GitHub OAuth app, to access. If another user has already grantedveracodeaccess, this option is not available. -
Select the authorize button to grant Veracode access to your GitHub repositories.
Discover GitHub repositories with Veracode
Discovering GitHub repositories with the GitHub Integration allows you to perform scans and provides metadata of your repositories, such as the size, number of recent commits, and visibility. You can download the metadata from Veracode as a CSV file.
For this EA version, the GitHub Integration discovers a maximum of 400 repositories.
- From the Repositories page in the Veracode Platform, select Add Repos.
- Select the GitHub organizations that contain repositories you want to scan, and then select Save.
Moving forward, you can select Sync with GitHub to make the Discover tab reflect changes to your repositories. Additionally, you can click Add Repos to add more GitHub organizations.
Scan repositories
Prerequisites
- You must have already added GitHub repositories to Veracode.
- Your repositories must meet the support requirements.
-
From the Repositories page in the Veracode Platform, select the repositories you want to scan.
-
Select Scan repos. When the scans complete, the findings appear in the Results tab.
View scan results
The Results tab of the Repositories page displays an overview of the SCA findings for each scanned repository. It provides the number of vulnerabilities by severity, the number of vulnerable libraries, and the levels of license risk.
You can download a JSON file containing more detailed results.
Next steps
Troubleshooting
This section describes resolutions for potential issues when using the GitHub Integration.
My GitHub organization does not appear in the Veracode Platform
If you created a GitHub organization after you authenticated Veracode with your GitHub account, the new organization does not automatically appear in the Veracode Platform.
To manually grant Veracode access to a GitHub Organization:
- View your authorized OAth apps on GitHub.
- Select Veracode.
- In the Organization access section, confirm that the organization you want to scan is enabled.
If the organization still does not appear, please contact your Veracode Customer Success Manager.
Veracode cannot scan a repository
If a scan fails, this message displays: Veracode was unable to scan this repository. This may indicate that the repository does not contain the project manifest files or package lock files required for the SCA scan.
If your repository does contain these files, but still fails to scan, please select Download log from the Results tab and make sure your GitHub repository is shareable. Then, please provide the log and repository URL to Veracode Technical Support or your Veracode Customer Success Manager.
Some repositories don't appear in the Veracode Platform
For this EA version, the GitHub Integration discovers a maximum of 400 repositories.
Additionally, forked repositories do not appear because they belong to the original GitHub organization. To make the same code appear in the Veracode Platform, you can create a new repository in your organization and push a clone of the original repository into this new repository.
I want to change which GitHub account is connected to Veracode
If you have already granted Veracode access to one GitHub account, but want to change to another account, please reach out to your Veracode Customer Success Manager. Veracode will reset the GitHub Integration in the Veracode Platform, so you can select another account.