It’s Clint Pollock, principal solutions architect, here for the final lesson in the four-part series on how to use Veracode from the command line in the Cloud9 IDE to submit a software composition analysis (SCA) scan and a dynamic scan.
To start, if you’re looking to leverage the Veracode API signing docker image with the Veracode rest APIs, go to the Help Center, go to the Rest API section, and take a look at the available options.
From here you can get a list of all the details for a particular application. You won’t need to add this parameter unless you are using the HMAC authentication plugin described in this section. Otherwise, remove it.
Now, let’s learn how to submit a dynamic scan. In the Veracode Help Center, you’ll see an example of how to create dynamic analysis for a single URL. You’ll see the post call and the value of the file. Copy it and make it a JSON file in your project. It’s a good idea to check the file into source code and, potentially, into a subfolder called Veracode where you could put the file as well as the pipeline baseline file. (And, of course, any other ports that you may want to download from the scan.)
If you check it into source code, developers can manage the variables, and it makes it easier for you to update things like authentication or website URL. Of course, you could also use parameters directly out of the CI/CD system to create those. Once complete, hit enter and post in the URL that the API documentation tells you to. And, at the very end, add something like @da_scan.json. You can see that you’ve successfully submitted the scan because you’ll have a 201 response.
Now, let’s take a look at some of the more advanced use cases, including application linking. You want to link your dynamic scans to an application profile, that way when you download the flaw report XML or the PDFs, it will contain information on your dynamic scans, in addition to the static scans and software composition analysis data.