/feb 27, 2024

Veracode Scan for VS Code: Now with Veracode Fix

By Robert Haynes

Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode’s Generative AI-powered tools directly from their Integrated Development Environment (IDE).

According to the Veracode State of Software Security, 45.9% of organizations have critical security debt. The fact that this data comes from organizations who are actively testing their software with a high-quality solution implies that it’s not finding flaws that is the problem: it’s fixing them.

Last year we introduced Veracode Fix – an AI assistant that can take the results of a Veracode Static scan and allow developers to apply suggested fixes directly to their code. Veracode Fix cuts the time to research and implement a fix for a given finding to minutes, while still keeping the developer in control. Fix was implemented as part of the Veracode CLI utility, which is available for Linux, Windows, and MacOS. 

A little more recently, we introduced a new combined plugin for VS Code that performed both Static analysis and Software Composition Analysis (SCA).

With this new release of our Veracode Scan plugin for VS Code, developers can use the power of Veracode to discover and remediate flaws directly in the IDE. Starting with VS Code, the Veracode plugin can take the results of Static scans and offer a choice of solutions for developers to select to remediate a discovered flaw.

 

How it works

To begin scanning, simply click the 'scan' button in the Veracode Plugin. This will first build and package the code for analysis, as scanning deployment assets makes for more accurate results, than scanning uncompiled source code. Next, the code and its dependencies are analyzed by the Veracode Platform.

Veracode Scan for VS Code: Start Scanning

Once the results are returned, select a flaw, and Veracode Fix will generate one or more remediations you can choose from, and then apply directly to the source file. The whole operation is performed within the VS Code IDE and saves time drives consistency, and helps cut the creation of security debt by constantly exposing developers to best practice solutions.

Veracode Scan for VS Code: Apply a fix

Giving developers the ability to find and fix security flaws in the IDE not only puts the tools in the right place, it also shifts security flaw mitigation to the right time in the SDLC.  Fixing flaws early and easily improves throughput, amplifies feedback, and reduces failed builds in the CI/CD pipeline.  Developers get results and remediations before code is committed, meaning that later security scans are less likely to find build-breaking flaws that slow down delivery. Scanning and remediating early cuts the time and effort involved in triaging, prioritizing, assigning, and solving a flaw, significantly reducing an organization’s overall Mean Time to Remediate (MTTR).

Another benefit developers will appreciate is the reduced cognitive load of addressing flaws in code they are actively working on, rather than having to address issues days or weeks, and hundreds of new lines of code later. Security teams will also benefit from early scans.  Using the Veracode plugin, results generated by the IDE stay in the IDE – decreasing the signal-to-noise ratio and making uncaught flaws easier to identify.

Supported Languages and Environments

Currently, the Veracode Scan plugin is available for VS code (1.78.2 or later) and supports a wide range of languages for Static and SCA scans.  Veracode Fix support is available for Java, JavaScript, PHP, and Python. Support for additional IDEs and languages is actively in development.

The auto-packaging feature works with the following package managers (interpreted languages don’t require any packaging steps):

  • Java: Maven or Gradle 
  • JavaScript: NPM or Yarn
  • Python (pip)

Other build systems can be scanned but they will require a manual packaging step.  The initial version of the plugin will allow one code fix per source file between rescans, but multiple source files can be remediated without rescanning.

In conclusion

Since its release, Veracode Fix has helped many Veracode customers remediate security flaws faster and begin to eat away at their risky security debt. The release of Veracode Fix in VS Code is set to improve the experience for developers by combining highly accurate scan results and easy remediation built into the tools they use every day.

We’d encourage you to request a personalized demo or, contact your friendly neighborhood spiderman Veracode team for more information.

Related Posts

By Robert Haynes

Robert’s quarter-century working in IT has progressed (or is that regressed?) through helpdesk, UNIX sysadmin, backup, storage, application security,  technical sales, and marketing.  He now spends his time hanging out at the intersection of artificial intelligence and human ingenuity, waving a sign that says: “This way for secure software."