Skip to main content

Scan for VS Code

Veracode Scan for VS Code is an extension for the VS Code IDE that integrates Static Application Security Testing (SAST) and Software Composition Analysis (SCA) into your Software Development Lifecycle (SDLC). The extension performs a Static Analysis of your project to detect flaws in your code and performs SCA agent-based scans to detect vulnerabilities in open-source libraries and the risk level of third-party licenses. It also provides guidance for fixing findings from within your IDE.

Scan results are only available in the IDE. They are not available in the Veracode Platform.

Supported IDEs

VS Code 1.78.2 or greater

Supported languages and frameworks

For Static Analysis scans, see Pipeline Scan supported languages.

For SCA scans, see Agent-based scan language support matrix.

About application packaging

Before the extension runs a Static Analysis of your application, it uses an auto-packager to automatically package the code into a supported artifact, such as ZIP or EXE. If the packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. This option does not apply to SCA scans.

By default, the extension expects the manually packaged artifact to be in $PROJECT_ROOT/.verascan. When you start the scan, the extension first looks for an artifact in the default location. To store your artifact in a different location, where the extension will look next, configure the setting veracode-scan.SAST Features.artifactGlob.

Prerequisites

Before you can install and use Veracode Scan for VS Code, you must have:

  • A supported version of VS Code and a source project of a supported language or framework. Monorepos are not supported.

  • Stored your API credentials in an API credentials file. The extension uses these credentials to authenticate with Veracode.

  • If you use a proxy to access Veracode, ensure you have configured a proxy in VS Code. You cannot configure a proxy in the Veracode extension. For more information, see the Microsoft documentation.

  • To run Static Analysis scans and view flaws, you must have:

    • An active Static Analysis license.

    • One of the following Veracode accounts:

      • A human user account with the Security Lead user role or the Creator and Submitter roles.
      • An API service account with the Upload and Scan API role.

      A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

    • To use the auto-packager, you must have one of the following package managers:

      • Java: Maven or Gradle
      • JavaScript: NPM or Yarn

    • Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.

    • Ensured the artifact you want to scan does not exceed the total file size limit of 200 MB.

    • Enabled one-way communication on port 443.

  • To run SCA scans and view vulnerabilities, you must have:

    • An active Veracode SCA subscription.
    • A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role. API service accounts are not supported.
    • The SCA workspace My Workspace with an available project slot. The extension can only use My Workspace.
    • Activated the Unified Policy for your account. You use this policy to assign an SCA security policy to your project. To activate the Unified Policy, contact Veracode Technical Support. You can only assign policies that contain the Findings by Severity or Vulnerability CVSS Score rule types.
    • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.
    • Installed a supported package manager.
    • If your open-source libraries are stored in an internal repository that rejects traffic from your proxy, contact Veracode Technical Support.

Install the extension

Install the extension from the VS Code Marketplace the same as any other extension.

note

You can only install the extension on one machine. If you install the extension on multiple machines, the extension might fail to authenticate with Veracode.

Before you begin

Ensure you meet the prerequisites.

To complete this task:

  1. Go to the VS Code Marketplace.
  2. Search for veracode.
  3. Select Veracode Scan for VS Code.
  4. To install the extension, select Install and follow the on-screen instructions.
  5. To complete the installation, restart VS Code.
  6. In VS Code, on the Activity bar, select Veracode Scan vs-code-side-bar.png.
  7. In the SETUP view, select Install Agent to install a local agent. The extension uses this agent to upload your code to Veracode for scanning. This agent is specific to the extension and does not affect any other local Veracode agents.
  8. To apply an SCA security policy that will filter the discovered vulnerabilities, select Open policy settings. This policy does not apply to flaws.
  9. On the Settings tab, select the checkbox under Policy.
  10. From the Policy dropdown menu, select a policy to apply to your project. The menu only lists policies that contain the Findings by Severity or Vulnerability CVSS Score rule types.

To confirm your credentials are valid, by default, the extension detects your API credentials file and authenticates with Veracode. If you added the credentials file after installing the extension and the agent, select Test Authentication. If your API credentials are invalid or expired, you can generate new credentials.

Configure the extension

Configure scan settings and filter the findings that you see in the IDE. For SCA scans, a debug option is available in the HELP & FEEDBACK view.

To complete this task:

  1. In VS Code, in the SCAN OVERVIEW view, select Settings vscode-settings-gear-icon.png to open the Settings tab. You see the following Veracode Scan settings.

    • SAST Flaw.Sev Filters: to hide or show flaws in the FLAWS IN MY CODE view, add or remove the related severities.
    • SCA Features.Policy: to filter out vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view, select to enable an SCA security policy that you can assign to your project. Then, from the Policy dropdown menu, select a policy. The menu only lists policies that contain the Findings by Severity or Vulnerability CVSS Score rule types. To use this option, the Unified Policy must be activated for your account. This policy does not apply to flaws.
    • SCA Features.Recursive Scan: select to run a recursive SCA scan of all folders and files in your selected project. After you select this option, you must rescan your project to update the results.
    • SCA Vulnerability.Sev Filters: to hide or show vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view based on the risk level, add or remove the related severities.
    • SCA Vulnerability.Usage Filters: to filter vulnerabilities in the VULNERABILITIES IN MY LIBRARIES view based on how the project uses a vulnerable library, add or remove Direct or Transitive (indirect).
    • SAST Features.artifactGlob: provide the location of a custom artifact for a Static Analysis scan. Enter a glob pattern that defines the path and filename for your artifact. The path must be relative to your project root directory. The default location is $PROJECT_ROOT/.verascan. Ensure your artifact meets the Veracode packaging guidance. See About application packaging.

  2. To enable debugging for SCA scans, in the HELP & FEEDBACK view, select SCA Scan Debug vscode-debug-icon.png. When debugging is enabled, the icon shows a red dot.

    note

    The debug option does not persist. You must enable it before each SCA scan. The debug files are stored on your local machine in .veracode/ide_agent/vscode/. To remove these files, you must delete them manually.

Scan your project

Scan your project to analyze the security risk of your code and all open-source libraries and licenses.

To complete this task:

  1. Open a supported project in VS Code.

  2. On the Activity bar, select Veracode Scan vs-code-side-bar.png.

  3. In the SCAN OVERVIEW view, select Start Scanning. If you have already scanned this project, select Rescan vscode-sca-rescan-icon.png. If you have more than one project open, you can select the project you want to scan from the Command Palette.

    When the scan is complete, the results for the selected project appear in the following views: SCAN OVERVIEW, FLAWS IN MY CODE, VULNERABILITIES IN MY LIBRARIES, and LIBRARY LICENSES.

  4. Review the results.

Review flaws

Review the discovered flaws in your code to learn about the flaws, their severity, and get remediation guidance for fixing them.

If you do not have an active Static Analysis license, you do not see flaws in the SCAN OVERVIEW view or the FLAWS IN MY CODE view.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In VS Code, on the Activity bar, select Veracode Scan vs-code-side-bar.png.
  2. In the FLAWS IN MY CODE view, you see a list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name sorted by severity. The flaws with the highest severity are at the top of the list.
  3. Optionally, to filter the list of flaws by severity, select Filters. Then, from the Filter Flaws dropdown menu, select the severities to hide or show.
  4. To view the flaws in your code, select a flaw. The source file that contains one or more flaws opens in a tab and the line of code where the flaws exist is underlined red. To the left of the line number, you see a flaw icon that indicates the severity.
  5. To view details about a flaw and remediation guidance for fixing it, select the underlined code.
  6. From the Show Code Actions menu vscode-show-code-actions-icon.png, under Quick Fix, locate a CWE and select More Information. In the Flaw Details tab that opens, you see a detailed description of the CWE, remediation guidance for fixing the flaw, the data path that the scanner followed to locate the flaw, and a link to the CWE on the MITRE website. You can also open the Flaw Details tab by selecting More Information vscode-more-info-icon.png on a flaw in the FLAWS IN MY CODE view.
  7. After you fix a flaw, in the SCAN OVERVIEW view, select Rescan vscode-sca-rescan-icon.png to confirm that the flaw no longer appears in the FLAWS IN MY CODE view.

Ignore flaws

Ignore flaws that you want to temporarily remove from the scan results. For example, you might want to ignore flaws that continually appear or are of low importance, such as Informational.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the FLAWS IN MY CODE view, select a flaw. The source file that contains the flaw opens in a tab and the line of code where the flaw exists is underlined red.
  2. From the Show Code Actions menu vscode-show-code-actions-icon.png, under Quick Fix, locate a CWE. If the line of code contains more than one flaw, the menu lists multiple CWEs.
  3. Select the CWE, then select Ignore this finding. The flaw moves to the Ignored flaws section at the bottom of the FLAWS IN MY CODE view.
  4. To unignore a flaw, locate it in the Ignored flaws section at the bottom of the FLAWS IN MY CODE view, then select Unignore flaw vscode-unignore-flaw-icon.png. The flaw moves out of the Ignored flaws section and is visible in the source file.

Review vulnerabilities

Review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.

If you do not have an active SCA subscription, you do not see vulnerabilities in the SCAN OVERVIEW view. The VULNERABILITIES IN MY LIBRARIES view and the LIBRARY LICENSES view are also empty.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In VS Code, on the Activity bar, select Veracode Scan vs-code-side-bar.png.

  2. In the VULNERABILITIES IN MY LIBRARIES view, you see a list of libraries sorted by risk level. The libraries with the most and highest-risk vulnerabilities are at the top of the list. The library usage appears to the right of the library.

  3. If you have enabled a security policy for your project, select Policy vscode-policy-shield-icon.png to select a different policy. If the policy is disabled, select Policy to open the policy settings.

  4. To filter the list of vulnerabilities, select Filter filter_icon.png.

  5. Expand a library to view the detected vulnerabilities.

  6. To view information about the library, select View library details. The Library Details window provides useful information about the library, such as the library usage, the latest version available, the known safe version, whether it has vulnerable methods, and links to more information.

  7. To view information about a vulnerability, select it. The Vulnerability Details window shows the CVSS score, the affected libraries in your project, a link for additional information in the Veracode Vulnerability Database, and the recommended fix.

  8. After you fix a vulnerability, select Rescan vscode-sca-rescan-icon.png in the SCAN OVERVIEW view to confirm that the affected library no longer has that vulnerability.

    For example, if a library in an NPM project has a vulnerability, and you update the library in the package.json file to a safe version, select Rescan to confirm that the vulnerability no longer appears in the VULNERABILITIES IN MY LIBRARIES view.

Library usage

UsageDescription
veracode-usage-direct.svg Direct dependencyThe library is a direct dependency that your project uses directly. Your project configuration file, such as package.json in an NPM project or pom.xml in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project.
veracode-usage-transitive.svg Transitive dependencyThe library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project.

Review open-source licenses

Review a list of all open-source licenses in your project, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it might need to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In VS Code, on the Activity bar, select Veracode Scan vs-code-side-bar.png.
  2. In the LIBRARY LICENSES view, scroll through the list of detected licenses to see the names, versions, and license risk. The licenses with the highest risk level appear at the top of the list.
  3. Expand a license to see the libraries that use it.