Veracode DAST Action provides two main functionalities for Veracode Dynamic Application Security Testing (DAST) scans in GitHub Actions:

1. Start Scan - Starts a Veracode DAST scan that is already configured on the Veracode platform
2. Load Results - Downloads DAST findings from Veracode and creates/updates GitHub issues for each finding

This action supports two operation modes:

• Start Scan Mode: Uses a JSON configuration file to reconfigure the scan start time and duration, then kicks off the DAST scan
• Load Results Mode: Fetches DAST findings from Veracode API and automatically creates GitHub issues for new findings, updates existing issues based on finding status, and closes issues for findings that are no longer present

The action has some required parameters that vary based on the action_type selected.

Required - The type of action to perform. Must be one of:

• start-scan - Start a new DAST scan
• load-results - Download findings and create/update GitHub issues

Required - The Veracode API ID

Required - The Veracode API Key

Required for start-scan - The DAST Config File Name (path to the JSON configuration file in your repository)

Required for load-results - The Veracode Application Profile Name (used to identify which application's findings to download)

Required - Your GITHUB_TOKEN - This will be automatically set to ${{ github.token }}

Required - Owner of the repo - This will be automatically set to ${{ github.repository_owner }}

Required - Repo name - This will be automatically set to ${{ github.event.repository.name }}

name: Veracode DAST

jobs:
    Submit-DAST-Scan:
        runs-on: ubuntu-latest
        steps:
            - name: Submit Veracode DAST Scan
              uses: veracode/veracode-dast-action@main 
              with:
                action_type: start-scan
                vid: ${{ secrets.VERACODE_API_ID }}
                vkey: ${{ secrets.VERACODE_API_KEY }}
                dast_config_file_name: input.json
                owner: Veracode-DemoLabs 
                repo: verademo-javascript
                token: ${{ secrets.GITHUB_TOKEN }}

name: Veracode DAST Results

jobs:
    Load-DAST-Results:
        runs-on: ubuntu-latest
        steps:
            - name: Load Veracode DAST Results
              uses: veracode/veracode-dast-action@main 
              with:
                action_type: load-results
                vid: ${{ secrets.VERACODE_API_ID }}
                vkey: ${{ secrets.VERACODE_API_KEY }}
                profile_name: MyApplication
                owner: Veracode-DemoLabs 
                repo: verademo-javascript
                token: ${{ secrets.GITHUB_TOKEN }}

An example JSON file for the start-scan action would look like this:

{
  "name": "Name-of-Your-Dynamic-Analysis",
  "schedule": {
    "start_date": "2020-09-26T02:00+00:00",
    "duration": {
      "length": 3,
      "unit": "DAY"
    }
  }
}

A full documentation about the JSON payload and the API used in the background can be found here

When using action_type: load-results, the action will:

1. Fetch Findings: Downloads all DAST findings from Veracode for the specified application profile
2. Create Issues: Creates new GitHub issues for findings that don't have existing issues
3. Update Issues: Updates existing issues based on finding status:
   • OPEN status: Keeps issues open (reopens if closed)
   • CLOSED status: Closes the issue
   • APPROVED resolution: Closes the issue
   • REJECTED resolution: Reopens the issue if closed
4. Process Annotations: Adds Veracode annotations (APPROVED, REJECTED, NETENV, etc.) as issue comments, preventing duplicates
5. Cleanup: Closes issues for findings that are no longer present in the latest scan results

Each GitHub issue created will include:

• Title: CWE name, category, and Veracode Finding ID [VID:issue_id]
• Labels: Severity label (critical, high, medium, low, informational) and veracode-dast
• Body: Detailed information including:
  • URL, path, hostname, port
  • Vulnerable parameter
  • CWE information
  • Finding category and plugin
  • Severity and attack vector
  • Finding status and resolution information
  • Full description from Veracode

When findings have annotations in Veracode, they are automatically added as comments to the GitHub issues. The action:

• Prevents duplicate comments by checking existing issue comments
• Formats annotations with action type, comment, date, and user name
• Handles APPROVED/REJECTED annotations to automatically close/reopen issues