Skip to content

Add integration tests, security/QAT workflows, and SDK framework README#3

Open
bnreplah wants to merge 3 commits into
mainfrom
claude/veracode-sdk-framework-488tC
Open

Add integration tests, security/QAT workflows, and SDK framework README#3
bnreplah wants to merge 3 commits into
mainfrom
claude/veracode-sdk-framework-488tC

Conversation

@bnreplah

Copy link
Copy Markdown
Owner
  • tests/unit/: 55 unit tests for email validation, schedule helpers, CSV parsing
  • tests/integration/: 71 integration tests covering DAST request script, blacklist
    script, bash syntax validation, shellcheck, XML API scripts, and live API
    connectivity (credential-gated)
  • tests/fixtures/: allowlist, blacklist, glblacklist CSV fixtures for test runs
  • pytest.ini, requirements-test.txt: test runner configuration
  • .github/workflows/integration-tests.yml: unit + integration + shell + API tests,
    split into jobs with artifact uploads and optional live API job on main
  • .github/workflows/security-scan.yml: Bandit, ShellCheck, Gitleaks, pip-audit,
    Semgrep, and credentials-file checker; scheduled weekly
  • .github/workflows/qat.yml: flake8, ShellCheck lint, JSON/YAML validation,
    PSScriptAnalyzer on Windows, full test suite with result publishing
  • README.md: rewritten with badge table, SDK framework overview, API reference,
    quick-start, test docs, and secrets guide
  • .gitignore: excludes pycache, credentials, test artifacts, coverage files

https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz

- tests/unit/: 55 unit tests for email validation, schedule helpers, CSV parsing
- tests/integration/: 71 integration tests covering DAST request script, blacklist
  script, bash syntax validation, shellcheck, XML API scripts, and live API
  connectivity (credential-gated)
- tests/fixtures/: allowlist, blacklist, glblacklist CSV fixtures for test runs
- pytest.ini, requirements-test.txt: test runner configuration
- .github/workflows/integration-tests.yml: unit + integration + shell + API tests,
  split into jobs with artifact uploads and optional live API job on main
- .github/workflows/security-scan.yml: Bandit, ShellCheck, Gitleaks, pip-audit,
  Semgrep, and credentials-file checker; scheduled weekly
- .github/workflows/qat.yml: flake8, ShellCheck lint, JSON/YAML validation,
  PSScriptAnalyzer on Windows, full test suite with result publishing
- README.md: rewritten with badge table, SDK framework overview, API reference,
  quick-start, test docs, and secrets guide
- .gitignore: excludes __pycache__, credentials, test artifacts, coverage files

https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
@github-actions

github-actions Bot commented Apr 10, 2026

Copy link
Copy Markdown

QAT Test Results

173 tests   163 ✅  2s ⏱️
  1 suites    0 💤
  1 files     10 ❌

For more details on these failures, see this check.

Results for commit 3ea7ca5.

♻️ This comment has been updated with latest results.

claude added 2 commits June 10, 2026 17:48
templates/workflows/ — copy any file to .github/workflows/ in a target repo:
  - pipeline-scan.yml         fast SAST inline scan, every PR
  - policy-scan-sast.yml      full policy scan, main/release branches
  - sandbox-scan-promote.yml  feature branch sandbox + promote on merge
  - sca-agent-scan.yml        SCA dependency scan via srcclr agent
  - dast-web-scan.yml         DAST dynamic scan via DASTWebAppRequest-std.py
  - container-scan.yml        Docker image scan via Veracode CLI or action
  - all-scans-devops.yml      full DevSecOps pipeline (build → all scans → summary)
  - by-language/java-maven.yml
  - by-language/java-gradle.yml
  - by-language/nodejs.yml
  - by-language/python.yml
  - by-language/dotnet.yml
  - by-language/go.yml

.github/workflows/ — reusable/callable workflows (any repo can call these):
  - reusable-pipeline-scan.yml   workflow_call with inputs, secrets, outputs
  - reusable-policy-scan.yml     workflow_call supporting sandbox or policy mode

All templates include CUSTOMIZE/TODO markers, secrets documentation,
packaging notes per language, and inline option comments (e.g. Action vs
Java wrapper, binary vs source zip for Go).

https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
Scripts/AIAnalysis/ — a pipeline that correlates findings across Veracode
scan types (SAST/DAST/SCA/container), validates them with a panel of Claude
models to reduce false positives, and chains related findings into risk paths.

Prepared for Mythos and future frontier models:
- models.json registry drives all model selection by role
  (triage/validate/deep-validate/correlate/chain/second-opinion). Enabling
  Claude Mythos 5 or a later model is a one-line config edit — no code change.
- providers.py shapes each request per model family: adaptive thinking for
  Opus/Sonnet, thinking omitted for Fable/Mythos (always-on), and server-side
  refusal fallbacks when a fallback_model is set. A not-yet-served model (404)
  is disabled for the run so the pipeline degrades gracefully.
- hooks.py exposes 9 operational hook points (pre_ingest ... report) so
  external tooling or a frontier model running alongside can observe/transform
  data at each stage without touching pipeline code.

Analysis capabilities:
- Deterministic cross-scan correlation (offline, stdlib-only, CI-safe):
  cross-layer CWE confirmation (SAST+DAST reachable), common flaw sources,
  shared CVE (SCA+container), dependency-usage links.
- Multi-model consensus FP validation (adversarial refute framing + quorum).
- Model-assisted risk chaining with combined severity, remediation order, and
  directed security-training recommendations.
- Structured outputs via output_config.format (json_schema) throughout.

Tests: 47 new tests (config/findings/correlation/hooks unit + pipeline
integration with a MockProvider, no API key needed). Full suite 163 passing.
Adds AIAnalysis flake8 job to the QAT workflow and documents the layer in the
READMEs.

https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants