Veracode DAST Action provides two main functionalities for Veracode Dynamic Application Security Testing (DAST) scans in GitHub Actions:
- Start Scan - Starts a Veracode DAST scan that is already configured on the Veracode platform
- Load Results - Downloads DAST findings from Veracode and creates/updates GitHub issues for each finding
This action supports two operation modes:
- Start Scan Mode: Uses a JSON configuration file to reconfigure the scan start time and duration, then kicks off the DAST scan
- Load Results Mode: Fetches DAST findings from Veracode API and automatically creates GitHub issues for new findings, updates existing issues based on finding status, and closes issues for findings that are no longer present
The action has some required parameters that vary based on the action_type selected.
Required - The type of action to perform. Must be one of:
start-scan- Start a new DAST scanload-results- Download findings and create/update GitHub issues
Required - The Veracode API ID
Required - The Veracode API Key
Required for start-scan - The DAST Config File Name (path to the JSON configuration file in your repository)
Required for load-results - The Veracode Application Profile Name (used to identify which application's findings to download)
Required - Your GITHUB_TOKEN - This will be automatically set to ${{ github.token }}
Required - Owner of the repo - This will be automatically set to ${{ github.repository_owner }}
Required - Repo name - This will be automatically set to ${{ github.event.repository.name }}
name: Veracode DAST
jobs:
Submit-DAST-Scan:
runs-on: ubuntu-latest
steps:
- name: Submit Veracode DAST Scan
uses: veracode/veracode-dast-action@main
with:
action_type: start-scan
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
dast_config_file_name: input.json
owner: Veracode-DemoLabs
repo: verademo-javascript
token: ${{ secrets.GITHUB_TOKEN }}name: Veracode DAST Results
jobs:
Load-DAST-Results:
runs-on: ubuntu-latest
steps:
- name: Load Veracode DAST Results
uses: veracode/veracode-dast-action@main
with:
action_type: load-results
vid: ${{ secrets.VERACODE_API_ID }}
vkey: ${{ secrets.VERACODE_API_KEY }}
profile_name: MyApplication
owner: Veracode-DemoLabs
repo: verademo-javascript
token: ${{ secrets.GITHUB_TOKEN }}An example JSON file for the start-scan action would look like this:
{
"name": "Name-of-Your-Dynamic-Analysis",
"schedule": {
"start_date": "2020-09-26T02:00+00:00",
"duration": {
"length": 3,
"unit": "DAY"
}
}
}A full documentation about the JSON payload and the API used in the background can be found here
When using action_type: load-results, the action will:
- Fetch Findings: Downloads all DAST findings from Veracode for the specified application profile
- Create Issues: Creates new GitHub issues for findings that don't have existing issues
- Update Issues: Updates existing issues based on finding status:
- OPEN status: Keeps issues open (reopens if closed)
- CLOSED status: Closes the issue
- APPROVED resolution: Closes the issue
- REJECTED resolution: Reopens the issue if closed
- Process Annotations: Adds Veracode annotations (APPROVED, REJECTED, NETENV, etc.) as issue comments, preventing duplicates
- Cleanup: Closes issues for findings that are no longer present in the latest scan results
Each GitHub issue created will include:
- Title: CWE name, category, and Veracode Finding ID
[VID:issue_id] - Labels: Severity label (critical, high, medium, low, informational) and
veracode-dast - Body: Detailed information including:
- URL, path, hostname, port
- Vulnerable parameter
- CWE information
- Finding category and plugin
- Severity and attack vector
- Finding status and resolution information
- Full description from Veracode
When findings have annotations in Veracode, they are automatically added as comments to the GitHub issues. The action:
- Prevents duplicate comments by checking existing issue comments
- Formats annotations with action type, comment, date, and user name
- Handles APPROVED/REJECTED annotations to automatically close/reopen issues