Announcing a Unified Veracode SAST and SCA IDE Plugin

Veracode is pleased to announce the availability of a new Integrated Development Environment (IDE) Plugin for VS Code. Our new plugin combines both Veracode Static Analysis (SAST) and Software Composition Analysis (SCA) into a single plugin. This allows developers to quickly scan projects for security weaknesses and risks in both first-party code and third-party libraries.   

The Benefits of a Combined SAST and SCA Plugin 

Scanning projects with SCA and SAST is important to make sure that both the code and libraries are as safe as possible. Making these tools available natively in the IDE in a single plugin makes performing security checks both faster and easier to perform. Scanning code early in the software development process reduces both the cost of remediating flaws and the chances of flaws making it into production.  

How the Veracode Unified Plugin Works 

The unified plugin takes care of packaging and sending of artifacts to the Veracode static scanner,  and then returns the results of scans directly into the IDE. Developers can quickly scan, remediate, and then rescan application code before committing it into source control. Results of scans are held locally and aren't reported to the Veracode Platform allowing developers to ‘scan in the privacy of your IDE'. 

Security teams can still add scans within source control or CI/CD pipelines with additional Veracode integrations, like the Veracode GitHub Workflow Integration, which can be configured to provide build-breaking and reported scans triggered by source control events such as push or pull requests.  

The new plugin is available for free for Veracode customers and will detect which scan services a customer is entitled to.  

Answering Some Common Questions 

Which IDEs are Supported?  

Our first release of the plugin is available now for VS Code, but a number of IDE integrations will be following shortly. The existing Veracode SCA plugin is currently available for IntelliJ and PyCharm IDEs. 

Which Languages and Package Managers are supported?  

Veracode Scan uses the Pipeline Scan utility, which supports a wide range of languages. The auto-packager currently the following languages and package managers: 

• Java: Maven or Gradle 

• JavaScript: NPM or Yarn 

Other supported languages can still be scanned using the plugin, but they’ll require manual packaging.  

What Configuration Options Are There?  

• Severity of vulnerabilities to report on 

• What kinds of dependencies to report on  

• Recursive scans of subdirectories for SCA findings 

• Location of custom artifacts for a Static Analysis Scan 

The full set of configuration options is available in the documentation. 

When Will Veracode Scan be Available for other IDE’s?

We’re working hard on creating releases for other IDE’s and will update this blog as we release them.  

How May I Request Additional Features?  

We hope you find this new plugin useful, and we’d love to hear feedback and requests for enhancements. Use the “Leave Feedback” menu item in the “Help and Feedback” section of the IDE Plugin to let us know your thoughts.  

Finally: Unified SAST and SCA IDE Plugin 

If you’re a Veracode customer, then we encourage you to try the plugin for yourselves. If you’re new to Veracode or would like some more information, then why not request a demo?