@eurekadevsecops/radar 1.9.8 → 1.11.0

package/.config/release-please/manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "1.9.8"
+  ".": "1.11.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [1.11.0](https://github.com/EurekaDevSecOps/radarctl/compare/v1.10.0...v1.11.0) (2026-02-27)
+
+
+### Improvements
+
+* Add support for Veracode Pipeline (SAST) scanner ([#2](https://github.com/EurekaDevSecOps/radarctl/issues/2)) ([bf7f04b](https://github.com/EurekaDevSecOps/radarctl/commit/bf7f04b4fd8bfc5fd3e13b25365809209db80cec))
+
+## [1.10.0](https://github.com/EurekaDevSecOps/radarctl/compare/v1.9.8...v1.10.0) (2026-02-25)
+
+
+### Improvements
+
+* **PE-961:** Job path from Managed Scan runner being included in vulnerability results ([#63](https://github.com/EurekaDevSecOps/radarctl/issues/63)) ([f014598](https://github.com/EurekaDevSecOps/radarctl/commit/f0145985152b4d5cb5af7d10de7981777ce40ce4))
+
 ## [1.9.8](https://github.com/EurekaDevSecOps/radarctl/compare/v1.9.7...v1.9.8) (2026-02-19)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eurekadevsecops/radar",
-  "version": "1.9.8",
+  "version": "1.11.0",
   "description": "Radar is an open-source orchestrator of security scanners.",
   "homepage": "https://www.eurekadevsecops.com/radar",
   "keywords": [

package/scanners/veracode-pipeline/about.toml

@@ -0,0 +1,5 @@
+name = "veracode-pipeline"
+title = "Veracode Pipeline"
+description = "Identify application security findings in source code. Requires Veracode API key."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"

package/scanners/veracode-pipeline/run.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Parameters:
+# $1 - Path to the source code folder that should be scanned
+# $2 - Path to the assets folder
+# $3 - Path to the output folder where scan results should be stored
+
+# Requirements:
+#
+# Environment variables VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET must be set:
+# [Veracode Platform](https://docs.veracode.com/r/c_api_credentials3#generate-api-credentials).
+#
+# EXAMPLE:
+# $ VERACODE_API_KEY_ID=123456789 VERACODE_API_KEY_SECRET=a1b2c3d4e5f6 radar scan /path/to/repo
+#
+# Optional:
+#
+# (A) The repo has already been packaged for Veracode as per https://docs.veracode.com/r/compilation_packaging
+#     and stored into a ZIP file somewhere within the repo. Set the environment variable VERACODE_ZIPFILE to the
+#     path/to/repo/veracode-package.zip file, relative to the root folder of the repo.
+#
+# -or-
+#
+# (B) Set the environment variable VERACODE_PACKAGE_CMD to the command that can create the Veracode package ZIP.
+#     We will run the command from the root of the repo. It should create veracode-package.zip and save it into
+#     the root folder of the repo. We will and submit this ZIP to Veracode Pipeline for a scan.
+#
+#     Examples:
+#     export VERACODE_PACKAGE_CMD="zip -qr veracode-package.zip lib"
+#     export VERACODE_PACKAGE_CMD="npm run build && zip -qr veracode-package.zip dist"
+#     export VERACODE_PACKAGE_CMD="make && zip -qr veracode-package.zip out"
+#
+# -or-
+#
+# (C) Your project does not need a build step. Omit both VERACODE_ZIPFILE and VERACODE_PACKAGE_CMD. We will
+#     automatically ZIP up the repo, excluding any files referenced in .gitignore, and submit to Veracode Pipeline
+#     for a scan. This is the default action if you don't set VERACODE_ZIPFILE and VERACODE_PACKAGE_CMD.
+#     This is appropriate for interpreted languages (Javascript, Python, etc) that don't need to be compiled.
+
+set -e
+
+# Expand relative paths
+APP_DIR=$(cd $1; pwd)
+CFG_DIR=$(cd $2; pwd)
+OUT_DIR=$(cd $3; pwd)
+
+# Veracode Pipeline only supports linux/amd64.
+docker run --platform linux/amd64 --rm \
+    -v "${APP_DIR}":/opt/eureka/radar/temp/repo \
+    -v "${CFG_DIR}":/opt/eureka/radar/temp/input \
+    -v "${OUT_DIR}":/opt/eureka/radar/temp/output \
+    -e VERACODE_API_KEY_ID="${VERACODE_API_KEY_ID}" \
+    -e VERACODE_API_KEY_SECRET="${VERACODE_API_KEY_SECRET}" \
+    -e VERACODE_ZIPFILE="${VERACODE_ZIPFILE}" \
+    -e VERACODE_PACKAGE_CMD="${VERACODE_PACKAGE_CMD}" \
+    ghcr.io/eurekadevsecops/radar-veracode-pipeline 2>&1

package/src/util/sarif/transforms/normalize.js

@@ -1,5 +1,9 @@
 const path = require('node:path')
 module.exports = (sarif, dir, git, root) => {
+  // Pattern matches managed scanner temporary job directories:
+  // Format: /app/jobs/{uuid}/repo-{timestamp}/
+  // Example: /app/jobs/830f53a2-5f0c-4565-a262-607dfcd4d5e1/repo-1771653645/
+  const MANAGED_SCANNER_JOB_PREFIX = /^\/app\/jobs\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\/repo-\d+\//
   // Normalize findings.
   for (const run of sarif.runs) {
 
@@ -19,8 +23,14 @@ module.exports = (sarif, dir, git, root) => {
     // (or if the root is not available then to the scan directory)
     if (!run.results) continue
     for (const result of run.results) {
-      for (const location of result.locations) {
-        if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
+      for (const location of result.locations) {    
+        if (location.physicalLocation?.artifactLocation?.uri?.match(MANAGED_SCANNER_JOB_PREFIX)) {
+          let file = location.physicalLocation.artifactLocation.uri.replace(MANAGED_SCANNER_JOB_PREFIX, '')
+          if (subfolder) file = path.join(subfolder, file)
+          if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
+          location.physicalLocation.artifactLocation.uri = file
+        }
+        else if (location.physicalLocation?.artifactLocation?.uri?.startsWith('/app')) {
           let file = path.join(subfolder, path.relative('/app', location.physicalLocation.artifactLocation.uri))
           if (result?.message?.text) result.message.text = result.message.text.replace(location.physicalLocation.artifactLocation.uri, file)
           location.physicalLocation.artifactLocation.uri = file