Adding SAST to Pull Requests

Using easy_sast to perform SAST on pull requests is supported through the sandbox name configuration. In Veracode, a sandbox is attached to an application, and is very similar except that any vulnerabilities identified in a sandbox do not count against your application's overall compliance. For more details, see Veracode's documentation here.

There are two methods to specify a sandbox name:

• sandbox_name under the sandbox api configuration in the config file.
• --sandbox-name at the CLI.

We recommend using a sandbox name that reflects your git repository and branch name, such as easy_sast/fb/jonzeolla/a-thing where easy_sast is the git repository name, and fb/jonzeolla/a-thing is the name of your feature branch. At the *nix command line, you can accomplish this with:

repo_name=$(basename -s .git $(git config --get remote.origin.url))
branch_name=$(git rev-parse --abbrev-ref HEAD)

This will allow you to leverage --sandbox-name "${repo_name}/${branch_name}" in your docker run command, and should work in CI environments where the code being build and scanned is the result of a git clone. This will ensure that sandboxes are easy to map to pull requests, and also accounts for microservices where you may have multiple git repos submitting code to a single Veracode application. Alternatively, consider using the git short hash via commit_hash=$(git rev-parse --short HEAD) and a sandbox name like --sandbox-name "${repo_name}/${branch_name}-${commit_hash}", but keep in mind this may quickly use all of the sandboxes that you have allocated to your application (25 sandboxes by default as of 2020-04-05).

When doing a Policy scan in Veracode you can only perform a single scan of an application at a time. This is the same with sandbox scans, but easy_sast is configured to cancel any in progress builds if the sandbox feature is in use. This allows you to push commits rapidly to your branch and to prioritize the latest commit.