Veracode API Credentials
ID |
veracode_api_credentials |
Severity |
high |
Vendor |
Veracode |
Family |
Access Key |
Description
Veracode accounts use Veracode API credentials to access the Veracode APIs and several integrations.
API Credentials are stored in a $HOME/.veracode/credentials file with the following format:
[default]
veracode_api_key_id = API_KEY_ID
veracode_api_key_secret = API_SECRET_KEYThe key_id and the secret could also be passed using environment variables, like in the following example with one of the container images from Veracode:
export VERACODE_API_KEY_ID=<your api key id>
export VERACODE_API_KEY_SECRET=<your api secret>
docker run --rm -p 10010:10010 \
-e VERACODE_API_KEY_ID \
-e VERACODE_API_KEY_SECRET \
--name iast-agent-server \
veracode/iast-agent-server:latestSecurity
To use Veracode API credentials, Veracode recommends you use the Veracode API wrappers, HTTPie with the appropriate Veracode authentication library, or one of the Veracode IDE integrations.
If the veracode_api_key_secret is leaked, an attacker may gain access to the
Examples
In a .veracode/credentials file:
[default] veracode_api_key_id = <YOUR API_KEY_ID HERE> veracode_api_key_secret = <YOUR API_SECRET_KEY HERE>
Mitigation / Fix
-
Any
.veracode/credentialsshould not be under version control. Ensure that it is a local file with strict permissions, according to the Manage API credentials documentation. -
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). In this case, follow the steps in revoke API credentials.
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |