@eurekadevsecops/radar 1.10.0 → 2.0.0

package/.config/release-please/manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "1.10.0"
+  ".": "2.0.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [2.0.0](https://github.com/EurekaDevSecOps/radarctl/compare/v1.11.0...v2.0.0) (2026-03-04)
+
+
+### ⚠ BREAKING CHANGES
+
+* **scan:** Exit codes have changed. When vulnerabilities are found, instead of returning exit codes in the range 8-15, Radar CLI now only returns 8.
+
+### Improvements
+
+* **scan:** Add THRESHOLD option ([#67](https://github.com/EurekaDevSecOps/radarctl/issues/67)) ([47a0b7b](https://github.com/EurekaDevSecOps/radarctl/commit/47a0b7bdc2b9f59d13cc6d35d6b1367b00b4ebc3))
+* **scans:** Display link to scan in Eureka dashboard ([#68](https://github.com/EurekaDevSecOps/radarctl/issues/68)) ([0b33b79](https://github.com/EurekaDevSecOps/radarctl/commit/0b33b79420a6589b33b1dc4370e4733bf872eaae))
+
+## [1.11.0](https://github.com/EurekaDevSecOps/radarctl/compare/v1.10.0...v1.11.0) (2026-02-27)
+
+
+### Improvements
+
+* Add support for Veracode Pipeline (SAST) scanner ([#2](https://github.com/EurekaDevSecOps/radarctl/issues/2)) ([bf7f04b](https://github.com/EurekaDevSecOps/radarctl/commit/bf7f04b4fd8bfc5fd3e13b25365809209db80cec))
+
 ## [1.10.0](https://github.com/EurekaDevSecOps/radarctl/compare/v1.9.8...v1.10.0) (2026-02-25)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.10.0",
+  "version": "2.0.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/veracode-sast/about.toml

@@ -0,0 +1,5 @@
+name = "veracode-sast"
+title = "Veracode SAST"
+description = "Identify application security findings in source code. Requires Veracode API key."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/veracode-sast/run.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Parameters:
+# $1 - Path to the source code folder that should be scanned
+# $2 - Path to the assets folder
+# $3 - Path to the output folder where scan results should be stored
+
+# Requirements:
+#
+# Environment variables VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET must be set:
+# [Veracode Platform](https://docs.veracode.com/r/c_api_credentials3#generate-api-credentials).
+#
+# EXAMPLE:
+# export VERACODE_API_KEY_ID=123456789
+# export VERACODE_API_KEY_SECRET=REDACTED
+# radar scan /path/to/repo
+# (Prefer setting these via your CI/secret manager; avoid typing real secrets into shell history.)
+#
+# Optional:
+#
+# (A) The repo has already been packaged for Veracode as per https://docs.veracode.com/r/compilation_packaging
+#     and stored into a ZIP file somewhere within the repo. Set the environment variable VERACODE_ZIPFILE to the
+#     path/to/repo/veracode-package.zip file, relative to the root folder of the repo.
+#
+# -or-
+#
+# (B) Set the environment variable VERACODE_PACKAGE_CMD to the command that can create the Veracode package ZIP.
+#     We will run the command from the root of the repo. It should create veracode-package.zip and save it into
+#     the root folder of the repo. We will submit this ZIP to Veracode Pipeline SAST scanner for a scan.
+#
+#     Examples:
+#     export VERACODE_PACKAGE_CMD="zip -qr veracode-package.zip lib"
+#     export VERACODE_PACKAGE_CMD="npm run build && zip -qr veracode-package.zip dist"
+#     export VERACODE_PACKAGE_CMD="make && zip -qr veracode-package.zip out"
+#
+# -or-
+#
+# (C) Your project does not need a build step. Omit both VERACODE_ZIPFILE and VERACODE_PACKAGE_CMD. We will
+#     automatically ZIP up the repo, excluding any files referenced in .gitignore, and submit to Veracode Pipeline
+#     SAST scanner for a scan. This is the default action if you don't set VERACODE_ZIPFILE and VERACODE_PACKAGE_CMD.
+#     This is appropriate for interpreted languages (Javascript, Python, etc) that don't need to be compiled.
+
+set -e
+
+if [ "$#" -ne 3 ]; then
+  echo "Usage: $0 <source_dir> <assets_dir> <output_dir>" >&2
+  exit 1
+fi
+
+# Expand relative paths
+if ! APP_DIR="$(cd -- "$1" && pwd)"; then
+  echo "Error: source directory not found: $1" >&2
+  exit 1
+fi
+
+if ! CFG_DIR="$(cd -- "$2" && pwd)"; then
+  echo "Error: assets directory not found: $2" >&2
+  exit 1
+fi
+
+if ! OUT_DIR="$(cd -- "$3" && pwd)"; then
+  echo "Error: output directory not found: $3" >&2
+  exit 1
+fi
+
+# The ghcr.io/eurekadevsecops/radar-veracode-sast image is currently published for linux/amd64 only.
+# On non-amd64 hosts (e.g., Apple Silicon), Docker will use emulation which may be slower.
+docker run --platform linux/amd64 --rm \
+    -v "${APP_DIR}":/opt/eureka/radar/temp/repo \
+    -v "${CFG_DIR}":/opt/eureka/radar/temp/input \
+    -v "${OUT_DIR}":/opt/eureka/radar/temp/output \
+    -e VERACODE_API_KEY_ID="${VERACODE_API_KEY_ID}" \
+    -e VERACODE_API_KEY_SECRET="${VERACODE_API_KEY_SECRET}" \
+    -e VERACODE_ZIPFILE="${VERACODE_ZIPFILE}" \
+    -e VERACODE_PACKAGE_CMD="${VERACODE_PACKAGE_CMD}" \
+    ghcr.io/eurekadevsecops/radar-veracode-sast 2>&1

package/src/commands/scan.js

@@ -6,6 +6,18 @@ const SARIF = require('../util/sarif')
 const runner = require('../util/runner')
 const { DateTime } = require('luxon')
 
+function is_error(threshold) {
+  return is_warning(threshold) || threshold === 'high' || threshold === 'error'
+}
+
+function is_warning(threshold) {
+  return is_note(threshold) || threshold === 'moderate' || threshold === 'warning'
+}
+
+function is_note(threshold) {
+  return threshold === 'low' || threshold === 'note'
+}
+
 module.exports = {
   summary: 'scan for vulnerabilities',
   args: {
@@ -22,11 +34,12 @@ module.exports = {
     { name: 'DEBUG', short: 'd', long: 'debug', type: 'boolean', description: 'log detailed debug info to stdout' },
     { name: 'ESCALATE', short: 'e', long: 'escalate', type: 'string', description: 'severities to treat as high/error' },
     { name: 'FORMAT', short: 'f', long: 'format', type: 'string', description: 'severity format' },
+    { name: 'ID', short: 'i', long: 'id', type: 'string', description: 'scan ID to associate results with' },
     { name: 'LOCAL', short: 'l', long: 'local', type: 'boolean', description: 'local scan (no upload of findings to Eureka)' },
     { name: 'OUTPUT', short: 'o', long: 'output', type: 'string', description: 'output SARIF file' },
     { name: 'QUIET', short: 'q', long: 'quiet', type: 'boolean', description: 'suppress stdout logging' },
     { name: 'SCANNERS', short: 's', long: 'scanners', type: 'string', description: 'list of scanners to use' },
-    { name: 'SCAN_ID', short: 'sid', long: 'scan-id', type: 'string', description: 'existing scan ID to associate results with' }
+    { name: 'THRESHOLD', short: 't', long: 'threshold', type: 'string', description: 'severity threshold for non-zero exit code' }
   ],
   description: `
     Scans a target for vulnerabilities. Defaults to displaying findings on stdout.
@@ -72,36 +85,33 @@ module.exports = {
     Radar CLI from uploading scan findings even when you have 'EUREKA_AGENT_TOKEN' set,
     you can pass the LOCAL option on the command line.
 
+    Use the THRESHOLD option to return a non-zero exit code for severities at or
+    above the threshold. For example, setting THRESHOLD to "high" would result in
+    a non-zero exit code only if high or critical vulnerabilities were found by the
+    scan. Available values are low, moderate, high, and critical - or note, warning,
+    and error if using the SARIF native severity levels.
+
     Exit codes:
-         0 - Clean and successful scan. No errors, warnings, or notes.
+         0 - Clean and successful scan. No vulnerabilities.
          1 - Bad command, arguments, or options. Scan not completed.
-      8-15 - Scan completed with errors, warnings, or notes.
-         9 - Scan completed with errors (no warnings or notes).
-        10 - Scan completed with warnings (no errors or notes).
-        11 - Scan completed with errors and warnings (no notes).
-        12 - Scan completed with notes (no errors or warnings).
-        13 - Scan completed with errors and notes (no warnings).
-        14 - Scan completed with warnings and notes (no errors).
-        15 - Scan completed with errors, warnings, and notes.
+         8 - Scan completed with vulnerabilities (>= THRESHOLD severity, if set).
      >= 16 - Scan aborted due to unexpected error.
   `,
   examples: [
     '$ radar scan ' + '(scan current working directory)'.grey,
     '$ radar scan . ' + '(scan current working directory)'.grey,
+    '$ radar scan /my/repo/dir ' + '(scan target directory)'.grey,
     '$ radar scan --local ' + '(run a local scan / no uploads to Eureka)'.grey,
     '$ radar scan -d' + '(turn debug mode on)'.grey,
     '$ radar scan --debug' + '(turn debug mode on)'.grey,
-    '$ radar scan /my/repo/dir ' + '(scan target directory)'.grey,
     '$ radar scan --output=scan.sarif ' + '(save findings in a file)'.grey,
     '$ radar scan -o scan.sarif /my/repo/dir ' + '(short versions of options)'.grey,
     '$ radar scan -s depscan,opengrep ' + '(use only given scanners)'.grey,
     '$ radar scan -c sca,sast ' + '(use all scanners from given categories)'.grey,
     '$ radar scan -c sca,sast -s all ' + '(use all scanners from given categories)'.grey,
     '$ radar scan -c sast -s opengrep ' + '(use only the opengrep scanner)'.grey,
-    '$ radar scan -f security ' + '(displays findings as high, moderate, and low)'.grey,
-    '$ radar scan -f sarif ' + '(displays findings as error, warning, and note)'.grey,
-    '$ radar scan -e moderate,low ' + '(treat lower severities as high)'.grey,
-    '$ radar scan -f sarif -e warning,note ' + '(treat lower severities as errors)'.grey
+    '$ radar scan -e moderate,low ' + '(treat moderate and low severities as high)'.grey,
+    '$ radar scan -t moderate ' + '(non-zero exit code for severities moderate and higher)'.grey,
   ],
   run: async (toolbox, args, globals) => {
     const { log, scanners: availableScanners, categories: availableCategories, telemetry, git } = toolbox
@@ -135,6 +145,10 @@ module.exports = {
       if (args.FORMAT === 'security' && severity !== 'moderate' && severity !== 'low') throw new Error(`Severity to escalate must be 'moderate' or 'low'`)
       if (args.FORMAT === 'sarif' && severity !== 'warning' && severity !== 'note') throw new Error(`Severity to escalate must be 'warning' or 'note'`)
     })
+    if (args.THRESHOLD) {
+      if (args.FORMAT === 'security' && !['critical', 'high', 'moderate', 'low'].includes(args.THRESHOLD)) throw new Error(`THRESHOLD must be one of 'critical', 'high', 'moderate' or 'low'`)
+      if (args.FORMAT === 'sarif' && !['error', 'warning', 'note'].includes(args.THRESHOLD)) throw new Error(`THRESHOLD must be one of 'error', 'warning' or 'note'`)
+    }
 
     // Derive scan parameters.
     const target = args.TARGET // target to scan
@@ -166,16 +180,17 @@ module.exports = {
     if (metadata.type === 'error') throw new Error(`${metadata.error.code}: ${metadata.error.details}`)
 
     // Send telemetry: scan started.
-    let scanID = args.SCAN_ID ?? undefined
+    let scanID = args.ID ?? undefined
+    let scanURL = undefined
     const timestamp = DateTime.now().toISO()
 
     if (telemetry.enabled && !args.LOCAL) {
-      // TODO: Should pass scanID to the server; not read it from the server.
       try {
         const res = await telemetry.send(`scans/started`, {}, { scanners: scanners.map((s) => s.name), scanID, metadata, timestamp })
         if (!res.ok) throw new Error(`[${res.status}] ${res.statusText}: ${await res.text()}`)
         const data = await res.json()
         scanID = data.scan_id
+        scanURL = data.scan_url
       }
       catch (error) {
         log(`WARNING: Telemetry will be skipped for this scan run: ${error.message}\n`)
@@ -250,15 +265,24 @@ module.exports = {
       SARIF.visualizations.display_totals(summary, args.FORMAT, log, telemetry.enabled && scanID && !args.LOCAL)
     }
 
+    // Display link to scan results in the dashboard.
+    if (telemetry.enabled && scanURL && !args.QUIET) {
+      log(`View scan findings in the Eureka dashboard: ${scanURL}`)
+    }
+
     // Determine the correct exit code.
     let exitCode = 0
     if (!summary.errors.length && !summary.warnings.length && !summary.notes.length) {
+      // No vulnerabilities.
       exitCode = 0
+    } else if (args.THRESHOLD) {
+      // Set the exit code to 8 if there are any vulnerabilities with severities at or above the given threshold.
+      if (is_error(args.THRESHOLD) && summary.errors.length > 0) exitCode = 0x8
+      if (is_warning(args.THRESHOLD) && summary.warnings.length > 0) exitCode = 0x8
+      if (is_note(args.THRESHOLD) && summary.notes.length > 0) exitCode = 0x8
     } else {
+      // Set the exit code to 8 if there are any vulnerabilities.
       exitCode = 0x8
-      if (summary.errors.length > 0) exitCode |= 0x1
-      if (summary.warnings.length > 0) exitCode |= 0x2
-      if (summary.notes.length > 0) exitCode |= 0x4
     }
 
     // Display the exit code.