AWS CodeSuite and Veracode
How to setup an AWS CodeSuite with Veracode Static Analysis, Software Composition Analysis, and Dynamic Analysis.
Overview
Veracode integrates with products in the AWS CodeSuite such as CodeBuild and CodePipeline.
For this demonstration we will use the PetStoreAPI written in Python.
https://github.com/veracode/petstore-api-flask
AWS Products We’ll Use:
- CodeBuild - this is the primary area we integrate Veracode commands.
- Cloud9 IDE - we'll use this to run a Docker image for the DAST scan.
- CodePipeline - integrate your security checks into your pipeline
The basic flow we'll be demonstrating is Checkout - Artifact - Scan.
Static Analysis and Software Composition Analysis Scanning
- Create CodeBuild project
- Enter API keys in environment variables
- Paste in provided buildspec example to which will Checkout, Artifact, and Scan within a single buildspec file
- Submit the build to get SAST/SCA scan results
Dynamic Scanning
- Use Cloud9 IDE to run the PetstoreAPI Docker Image
- Allow Veracode IP address to access Cloud9 via security group
- Submit the DAST scan
SCA Advanced Scanning
- Vulnerable method detection
- Container scanning
- Create Open Source Software Bill of Materials (SCA) for the container image itself.
Break on a Pull Request
- Use the Veracode Static Pipeline scanner for quick feedback on a pull or merge request.