Veracode API HMAC Authentication in Python
September 6, 2019 #security #codequality #python
Back on 26 August 2019, I created a GitHub issue on veracode-python-hmac-example since it didn’t work with Python 3.7. I also reached out to Veracode Support who replied right away with a compatible .whl file. Today I learned that the Veracode API Signing Library is now available on PyPI for HMAC authentication.
As a test, I wanted to write some Python code for getapplist.do to mimic this usage of the Java based CLI.
$ java -jar ~/.veracode/VeracodeJavaAPI.jar \
-vid [redacted] \
-vkey [redacted \
-action getapplistI was able to run this code and get the same result from the Veracode XML API.
import sys
import requests
from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC
VERACODE_API_URL = 'https://analysiscenter.veracode.com/api/5.0/'
if __name__ == "__main__":
result = requests.post(VERACODE_API_URL + "getapplist.do",
auth = RequestsAuthPluginVeracodeHMAC(),
data={"include_user_info" : "true"})
print(result.text)This works because the Veracode API Key and Key Secret are located in my ~/.veracode/credentials file.
$ cat ~/.veracode/credentials
[default]
veracode_api_key_id = [redacted]
veracode_api_key_secret = [redacted]If you prefer the newer JSON based Veracode REST APIs, the same HMAC authentication works.
import json
import sys
import requests
from veracode_api_signing.plugin_requests import RequestsAuthPluginVeracodeHMAC
api_base = "https://api.veracode.com/appsec/v1"
if __name__ == "__main__":
try:
response = requests.get(api_base + "/applications",
auth=RequestsAuthPluginVeracodeHMAC(),
params={"size": "500"})
except requests.RequestException as e:
print(e)
sys.exit(1)
if response.ok:
print(json.dumps(response.json(), indent=2))
else:
print(response.status_code)Now it’s time to explore some more Veracode APIs and add some security automation to my pipelines.