{"id":37164745,"url":"https://github.com/veracode/scan_health","last_synced_at":"2026-01-14T19:33:40.637Z","repository":{"id":65779683,"uuid":"587772220","full_name":"veracode/scan_health","owner":"veracode","description":" Veracode Scan Health","archived":false,"fork":false,"pushed_at":"2025-05-19T14:43:54.000Z","size":445,"stargazers_count":7,"open_issues_count":3,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-19T15:54:25.502Z","etag":null,"topics":["veracode"],"latest_commit_sha":null,"homepage":"https://veracode.github.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/veracode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-11T14:52:44.000Z","updated_at":"2025-05-19T14:43:58.000Z","dependencies_parsed_at":"2024-01-10T09:28:56.020Z","dependency_job_id":"5e80ae8a-f32c-487b-9297-fd4065588190","html_url":"https://github.com/veracode/scan_health","commit_stats":null,"previous_names":["veracode/scan_health","antfie/scan_health"],"tags_count":70,"template":false,"template_full_name":null,"purl":"pkg:github/veracode/scan_health","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/veracode%2Fscan_health","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/veracode%2Fscan_health/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/veracode%2Fscan_health/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/veracode%2Fscan_health/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/veracode","download_url":"https://codeload.github.com/veracode/scan_health/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/veracode%2Fscan_health/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["veracode"],"created_at":"2026-01-14T19:33:40.002Z","updated_at":"2026-01-14T19:33:40.627Z","avatar_url":"https://github.com/veracode.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![GitHub License](https://img.shields.io/github/license/veracode/scan_health)\r\n![Go Version](https://img.shields.io/github/go-mod/go-version/veracode/scan_health)\r\n[![Go Report Card](https://goreportcard.com/badge/github.com/veracode/scan_health/v2)](https://goreportcard.com/report/github.com/github.com/veracode/scan_health/v2)\r\n![GitHub Release](https://img.shields.io/github/v/release/veracode/scan_health)\r\n![GitHub Downloads (all assets, all releases)](https://img.shields.io/github/downloads/veracode/scan_health/total)\r\n![Docker Image Size](https://img.shields.io/docker/image-size/antfie/scan_health/latest)\r\n![Docker Pulls](https://img.shields.io/docker/pulls/antfie/scan_health)\r\n\r\n# Veracode Scan Health Tool 🏥\r\n\r\n**Note this tool is not an official Veracode product. It comes with no support or warranty.**\r\n\r\nUse this console tool to gain insight into the health of a Veracode SAST scan. The report includes any problems found as well as suggestions to improve scan performance and flaw quality. At present this tool only works on Static Analysis (SAST) scans.\r\n\r\nThe tool has the following modes of operation:\r\n\r\n* **Health Report** - For when we want to know if a given SAST scan has been configured correctly\r\n* **Scan Compare** - For when we want to compare two SAST scans for troubleshooting issues\r\n\r\n## Key Features ✅\r\n\r\n* Uses the [Veracode APIs](https://docs.veracode.com/r/Veracode_APIs) and standard Veracode [API Credentials File](https://docs.veracode.com/r/c_api_credentials3).\r\n* Works in Veracode Commerical (US) and European regions.\r\n* Easy to understand configuration issues and recommendations.\r\n* Outputs a summary to the console and also optionally a full listing in JSON.\r\n* Returns exit code 1 if there are any serious configuration issues found when using `-error-on-high-severity` flag. \r\n* Set `-previous-scan=true` to run checks against the previous scan. We may make this the default at some point in the\r\n  future.\r\n\r\n## Installation 📦\r\n\r\nThe easiest way to install this is to download the binary from GitHub, but there are other options.\r\n\r\n### Homebrew\r\n\r\n```bash\r\n# If you don't have brew installed, install it from here: https://brew.sh/\r\n\r\n# Add the brew tap to your local machine\r\nbrew tap veracode/tap\r\n\r\n# Install the tool\r\nbrew install scan_health\r\n```\r\n\r\n### From GitHub \r\n\r\nFrom the [Releases](https://github.com/veracode/scan_health/releases) page you can download the latest version of this standalone executable for Windows, Linux and macOS. Note that at this time we are unable to code-sign these binaries.\r\n\r\n### Using Docker 🐳\r\n\r\nYou can also use the [Docker image](https://hub.docker.com/r/antfie/scan_health):\r\n\r\n```bash\r\ndocker pull antfie/scan_health\r\n```\r\n\r\n### Compile Manually\r\n\r\nYou will need the latest version of [Go](https://go.dev/dl/) and then run the following commands to get the code and compile it:\r\n\r\n```bash\r\ngit clone https://github.com/veracode/scan_health\r\ncd scan_health\r\n./scripts/build.sh\r\n```\r\n\r\nNote it is best to point to the latest release commit as the main branch can sometimes have have work in progress.\r\n\r\nIn the `dist` folder you should find the compiled binaries.\r\n\r\n## Configuration 🛠️\r\n\r\nThis tool makes use of the [Veracode APIs](https://docs.veracode.com/r/Veracode_APIs) ([listed below](#outbound-api-calls)). You will need a Veracode [API Credentials File](https://docs.veracode.com/r/c_api_credentials3) and the [Reviewer or Security Lead role](https://docs.veracode.com/r/c_API_roles_details#results-api) for this tool to work.\r\n\r\nFollow the instructions on how to configure a Veracode [API Credentials File](https://docs.veracode.com/r/c_api_credentials3) if you do not already have this set up.\r\n\r\nAlternatively you can use\r\nenvironment\r\nvariables (`VERACODE_API_KEY_ID` and `VERACODE_API_KEY_SECRET`) or the CLI flags (`-vid` and `-vkey`) to authenticate\r\nwith the Veracode APIs.\r\n\r\n### Using Docker 🐳\r\n\r\nIf you are using Docker you can mount the API credentials file in the container like this:\r\n\r\n```bash\r\ndocker run -t -v \"$HOME/.veracode:/app/.veracode\" antfie/scan_health -action health -sast https://analysiscenter.veracode.com/auth/index.jsp#...\r\n```\r\n\r\n## Using the Tool\r\n\r\nSimply running the tool with `-h` should provide helpful usage instructions like so:\r\n\r\n```bash\r\nScan Health v2.34\r\nCopyright © Veracode, Inc. 2024. All Rights Reserved.\r\nThis is an unofficial Veracode product. It does not come with any support or warranty.\r\n\r\nUsage of ./dist/scan_health-mac-amd64:\r\n  -cache\r\n    \tEnable caching of API responses (useful for development)\r\n  -error-on-high-severity\r\n    \tReturn a non-zero exit code if any high severity issues are found\r\n  ...\r\n```\r\n\r\n### Health Report\r\n\r\nThe most common use of this tool is to get a health report for a given scan.\r\n\r\n```bash\r\n./scan_health -action health -sast https://analysiscenter.veracode.com/auth/index.jsp#...\r\n```\r\n\r\nHere is an example report:\r\n\r\n```\r\nScan Health v2.32\r\nCopyright © Veracode, Inc. 2023. All Rights Reserved.\r\nThis is an unofficial Veracode product. It does not come with any support or warranty.\r\n\r\nInspecting SAST build id = 22132159 in the commercial region\r\nWarning: This is not the latest scan\r\n\r\nScan Summary\r\n============\r\nBusiness unit:      Cyber Security\r\nApplication:        Secure File Transfer\r\nSandbox:            Development\r\nScan name:          15 Nov 2022 Static\r\nReview Modules URL: https://analysiscenter.veracode.com/auth/index.jsp#AnalyzeAppModuleList:75603:793744:22132159:22103486:22119136::::5000002\r\nTriage Flaws URL:   https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsStaticFlaws:75603:793744:22132159:22103486:22119136::::5000002\r\nFiles uploaded:     127\r\nTotal modules:      142\r\nModules selected:   1\r\nEngine version:     20221021161836 (Release notes: https://docs.veracode.com/updates/r/c_all_static)\r\nSubmitted:          2022-11-15 12:28:29 +0000 GMT (225d 2h 16m 5.453014s ago)\r\nPublished:          2022-11-15 12:37:33 +0000 GMT (225d 2h 7m 1.453023s ago)\r\nDuration:           9m 4s\r\nLatest app scan:    2023-01-31 08:52:10 +0000 GMT (148d 5h 52m 24.453035s ago)\r\n\r\nFlaw Summary\r\n============\r\nTotal (less fixed):         49\r\nFixed (no longer reported): 0\r\nPolicy affecting:           35\r\nMitigated:                  2\r\nOpen affecting policy:      33\r\nOpen not affecting policy:  14\r\n\r\nModules Selected for Analysis\r\n=============================\r\n* app.war\r\n\r\nIssues\r\n======\r\n❌ A Java module was identified that contained no compiled Java classes: \"common-0.1.0-SNAPSHOT.jar\". Sometimes this can indicate the file contained only Java source code which is not processed by Veracode.\r\n⚠️ 2 unnecessary files were uploaded: \".DS_Store\", \"._.DS_Store\".\r\n⚠️ 2 JavaScript modules were not selected for analysis: \"JS files within common-0.1.0-SNAPSHOT.jar\", \"JS files within auth-0.1.0-SNAPSHOT.jar\".\r\n⚠️ There have not been recent scans of this application The application was last scanned on 2023-01-31 08:52:10 +0000 GMT which was 148d 5h 52m 24.452762s ago. It is not uncommon for new flaws to be reported over time because Veracode is continuously improving their products, and because new SCA vulnerabilities are reported every day, and this could impact the application.\r\n\r\nRecommendations\r\n===============\r\n💡 Follow the packaging instructions to keep the upload as small as possible to improve upload and scan times.\r\n💡 Veracode requires the Java application to be compiled into a JAR, WAR or EAR file as per the packaging instructions.\r\n💡 Veracode extracts JavaScript modules from the upload. Consider selecting the appropriate \"JS files within ...\" modules for analysis in order to cover the JavaScript risk from these components.\r\n💡 Under-selection of first party modules affects results quality. Ensure the correct entry points have been selected as recommended and refer to this article: https://community.veracode.com/s/article/What-are-Modules-and-how-do-my-results-change-based-on-what-I-select.\r\n💡 Regular scanning, preferably via automation will allow the application team to respond faster to any new issues reported.\r\n💡 Consider scheduling a consultation to review the packaging and module configuration: https://docs.veracode.com/r/t_schedule_consultation.\r\n```\r\n\r\nThe tool also outputs JSON if the `-format json` flag is set. Note that unlike the console this JSON will not contain summaries but all the details. An example can be seen below:\r\n\r\n```json\r\n{\r\n  \"health_tool\": {\r\n    \"report_date\": \"2023-06-29T12:20:49.769824+01:00\",\r\n    \"version\": \"2.1\",\r\n    \"region\": \"commercial\"\r\n  },\r\n  \"scan\": {\r\n    \"account_id\": 75603,\r\n    \"business_unit\": \"Cyber Security\",\r\n    \"application_id\": 793744,\r\n    \"application_name\": \"Secure File Transfer\",\r\n    \"scan_name\": \"30 Jan 2023 Static\",\r\n    \"sandbox_id\": 5139524,\r\n    \"sandbox_name\": \"Dart and Flutter\",\r\n    \"build_id\": 23664244,\r\n    \"review_modules_url\": \"https://analysiscenter.veracode.com/auth/index.jsp#AnalyzeAppModuleList:75603:793744:23664244:23635472:23651122::::5139524\",\r\n    \"triage_flaws_url\": \"https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsStaticFlaws:75603:793744:23664244:23635472:23651122::::5139524\",\r\n    \"engine_version\": \"20230123231701\",\r\n    \"submitted_date\": \"2023-01-30T12:17:19Z\",\r\n    \"published_data\": \"2023-01-30T12:27:38Z\",\r\n    \"scan_duration\": 619000000000,\r\n    \"analysis_size\": 157513561,\r\n    \"is_latest_scan\": false\r\n  },\r\n  \"flaws\": {\r\n    \"total\": 5,\r\n    \"total_affecting_policy\": 5,\r\n    \"open_affecting_policy\": 5\r\n  },\r\n  \"uploaded_files\": [\r\n    {\r\n      \"id\": 10552845755,\r\n      \"name\": \"wonderous.ipa\",\r\n      \"status\": \"Uploaded\",\r\n      \"md5\": \"502f1a945eb85a0d09da917bba5d7de0\",\r\n      \"is_ignored\": false,\r\n      \"is_third_party\": false\r\n    }\r\n  ],\r\n  \"modules\": [\r\n    {\r\n      \"name\": \"wonderous.ipa\",\r\n      \"compiler\": \"DART\",\r\n      \"operating_system\": \"Dart\",\r\n      \"architecture\": \"DART\",\r\n      \"is_ignored\": false,\r\n      \"is_third_party\": false,\r\n      \"is_dependency\": false,\r\n      \"is_selected\": true,\r\n      \"has_fatal_errors\": false,\r\n      \"flaw_summary\": {}\r\n    },\r\n    {\r\n      \"id\": 1756110687,\r\n      \"name\": \"wonderous.ipa\",\r\n      \"is_ignored\": false,\r\n      \"is_third_party\": false,\r\n      \"is_dependency\": false,\r\n      \"is_selected\": false,\r\n      \"has_fatal_errors\": false,\r\n      \"status\": \"OK\",\r\n      \"platform\": \"DART / Dart / DART\",\r\n      \"size\": \"150MB\",\r\n      \"md5\": \"502f1a945eb85a0d09da917bba5d7de0\",\r\n      \"issues\": [\r\n        \"No supporting files or PDB files\"\r\n      ],\r\n      \"flaw_summary\": {}\r\n    }\r\n  ],\r\n  \"issues\": [\r\n    {\r\n      \"description\": \"There have not been recent scans of this application The application was last scanned on 2023-01-31 08:52:10 +0000 GMT which was 149d 2h 28m 42.711006s ago. It is not uncommon for new flaws to be reported over time because Veracode is continuously improving their products, and because new SCA vulnerabilities are reported every day, and this could impact the application.\",\r\n      \"severity\": \"medium\"\r\n    }\r\n  ],\r\n  \"recommendations\": [\r\n    \"Regular scanning, preferably via automation will allow the application team to respond faster to any new issues reported.\",\r\n    \"Consider scheduling a consultation to review the packaging and module configuration: https://docs.veracode.com/r/t_schedule_consultation.\"\r\n  ],\r\n  \"last_activity\": \"2023-01-31T08:52:10Z\"\r\n}\r\n```\r\n\r\n### Scan Compare\r\n\r\nScans can be compared like so:\r\n\r\n```bash\r\n./scan_health -action compare -a https://analysiscenter.veracode.com/auth/index.jsp#... -b https://analysiscenter.veracode.com/auth/index.jsp#...\r\n```\r\n\r\n## Different ways to run\r\n\r\nIf you know the build IDs you can use them instead of URLs if preferred, like so:\r\n\r\n```sh\r\n./scan_health -sast 22132159\r\n```\r\n\r\nPlease note that this will only work if the scan has a Detailed Report, i.e. the scan has finished. It is preferable to use scan URLs over build IDs. \r\n\r\n### Using a zsh helper alias\r\n\r\nIf you use the zsh shell you might want to have a helper alias. To do that add this to your `~/.zshrc` file:\r\n\r\n```sh\r\nalias vsh='f() { /path/to/scan_health-mac-arm64 -sast \"$1\" };f'\r\n```\r\n\r\nThen you can simply run:\r\n\r\n```sh\r\nvsh https://analysiscenter.veracode.com/auth/index.jsp#...\r\n```\r\n\r\n## Development 🪚\r\n\r\nYou may want to use the `-cache=true` flag to speed up development by caching API responses. It is not recommended to use caching in production as sensitive data may be left in files.\r\n\r\n### Compiling\r\n\r\nRunningt he build script will also run the tests:\r\n\r\n```sh\r\n./scripts/build.sh\r\n```\r\n\r\n## Bug Reports 🐞\r\n\r\nIf you find a bug, please file an Issue right here in GitHub, and I will try to resolve it in a timely manner.\r\n\r\n## API Calls\r\n\r\nThis tool makes the following read-only API requests for data:\r\n\r\n| API                                                                         | Notes / API Documentation                                  |\r\n|-----------------------------------------------------------------------------|------------------------------------------------------------|\r\n| \u003chttps://github.com/veracode/scan_health/releases/latest\u003e                     | To determine if a new version of the tool is available.    |\r\n| \u003chttps://analysiscenter.veracode.com/api/3.0/getmaintenancescheduleinfo.do\u003e | \u003chttps://docs.veracode.com/r/r_getmaintenancescheduleinfo\u003e |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/detailedreport.do\u003e             | \u003chttps://docs.veracode.com/r/r_detailedreport\u003e             |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getappinfo.do\u003e                 | \u003chttps://docs.veracode.com/r/r_getappinfo\u003e                 |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getbuildinfo.do\u003e               | \u003chttps://docs.veracode.com/r/r_getbuildinfo\u003e               |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getbuildlist.do\u003e               | https://docs.veracode.com/r/r_getbuildlist                 |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getfilelist.do\u003e                | \u003chttps://docs.veracode.com/r/r_getfilelist\u003e                |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getprescanresults.do\u003e          | \u003chttps://docs.veracode.com/r/r_getprescanresults\u003e          |\r\n| \u003chttps://analysiscenter.veracode.com/api/5.0/getsandboxlist.do\u003e             | \u003chttps://docs.veracode.com/r/r_getsandboxlist\u003e             |\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fveracode%2Fscan_health","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fveracode%2Fscan_health","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fveracode%2Fscan_health/lists"}