While docs.veracode.com (formerly known as help.veracode.com) is an excellent resource, it is not the most obviously intuitive tool out there. There’s got to be a better way, you say?
There is a better way
Well, now there is a better way. Let me present to you three world-class solution playbooks for integrating Veracode into your favourite CI/CD pipelines. Now, this is not just about getting a single scan done every now and then, these manuals (as they are called) go quite deep into different aspects of integration.
We’ve got the following gold-level topics with hands-on working examples
- Using pipeline environment variables
- Static scanning (SAST) using scripts, pre-built docker images as well as Github actions
- Pipeline scans
- SCA (that is Gartner-speek for 3rd party component and library analysis)
- DAST – dynamic analysis (scanning your deployed live application)
- Scanning different branches
- Importing findings into security issues or pull request comments – and overall reporting
- Using pipeline environment variables
In addition to these technical topics and templates, there is also discussion (and practical examples) on strategical decisions around scanning and most importantly discussion on how to build this into your organization.
The manuals
3rd party library management – SCA – various frameworks and requirements
Yhä useampi standardi, viitekehys ja asiakasvaatimus edellyttää – peräti huutaa – kirjastonhallinnan perään. Huutaa siksi että modernit sovelluskehitysmenetelmät ovat täysin riippuvaisia ulkoisista kirjastoista eli riippuvuuksista.
Veracode State of Software Security 12
Similar to last year, we looked at the entire history of active applications, not just the activity associated with the application over one year. By doing so, we can view the full life cycle of applications, which results in more accurate metrics and observations.
