Veracode API Signing Library

Warnings

• breaking As of September 2019, Veracode API authentication transitioned from username/password (basic authentication) to API ID and Key (HMAC signing) for XML APIs, and REST APIs have always required HMAC. Any code still using basic authentication will fail.
  Fix: Generate Veracode API credentials (API ID and Key) and update your code to use HMAC signing via this library or an equivalent method. Ensure your API ID and Key are set as environment variables or in a `~/.veracode/credentials` file.
• gotcha Veracode API credentials should be stored in either a `~/.veracode/credentials` file or as environment variables, but not both simultaneously for the same configuration profile, as this can lead to unpredictable behavior.
  Fix: Choose one method for providing credentials (either the file or environment variables) and stick to it. The library will attempt to load from the file first, then environment variables. For programmatic control over multiple accounts, passing `api_key_id` and `api_key_secret` directly to the `RequestsAuthPluginVeracodeHMAC` constructor is an option.
• deprecated The Veracode XML Admin API was deprecated in June 2022 in favor of the Identity REST APIs, with support ending on June 30, 2023. While `veracode-api-signing` can still sign requests for XML APIs, new integrations should exclusively target the more modern REST APIs.
  Fix: Migrate any automation using the XML Admin API to the Identity REST APIs. Familiarize yourself with the REST API documentation for the relevant endpoints.

Install

• pip install veracode-api-signing Install latest version

Imports

• RequestsAuthPluginVeracodeHMAC

  from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC

  The authentication plugin is located within the `plugin_requests` submodule, not directly under the top-level package.

Quickstart

This quickstart demonstrates how to make an authenticated GET request to the Veracode REST API's `/applications` endpoint using the `veracode-api-signing` library with the popular `requests` library. API credentials are expected to be available as environment variables `VERACODE_API_KEY_ID` and `VERACODE_API_KEY_SECRET`, or alternatively, loaded from a `~/.veracode/credentials` file. The `RequestsAuthPluginVeracodeHMAC` automatically signs the request with the provided or discovered credentials.

import requests
import os
from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC

# Veracode API credentials can be loaded from ~/.veracode/credentials or environment variables.
# For quickstart, using environment variables for demonstration. In production, prefer file.
api_id = os.environ.get('VERACODE_API_KEY_ID', '')
api_key_secret = os.environ.get('VERACODE_API_KEY_SECRET', '')

if not api_id or not api_key_secret:
    print("WARNING: VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET environment variables are not set.")
    print("Please set them or configure ~/.veracode/credentials file for successful authentication.")
    # Exit or provide mock values for a non-failing example
    api_id = 'YOUR_MOCK_API_ID'
    api_key_secret = 'YOUR_MOCK_API_SECRET'

# The base URL for Veracode REST APIs. For US Commercial Region.
# Adjust for other regions if necessary (e.g., https://api.veracode.eu/appsec/v1)
api_base = "https://api.veracode.com/appsec/v1"

try:
    # Make a GET request to an API endpoint, e.g., /applications
    # The RequestsAuthPluginVeracodeHMAC automatically handles signing the request.
    response = requests.get(api_base + "/applications", auth=RequestsAuthPluginVeracodeHMAC(api_key_id=api_id, api_key_secret=api_key_secret))
    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)
    print("Successfully fetched applications:")
    print(response.json())
except requests.exceptions.HTTPError as e:
    print(f"HTTP Error: {e.response.status_code} - {e.response.text}")
except requests.exceptions.RequestException as e:
    print(f"An error occurred: {e}")