Veracode and SonarCloud access

[Ruskyy]

Please report undisclosed or confidential vulnerabilities here: https://www.eclipse.org/security/

Topics (Please mark an [x] to your Topic):

• [ ] KICS
• [ ] Invicti
• [ ] GitGuardian
• [ ] Pentesting
• [ ] Security assessment (threat modeling, code reviews)
• [ ] Trivy
• [X] Veracode (initial setup, GitHub integration)
• [X] Other

Would like to request acess, to Sonarcloud and the configuration of Veracode, for the following repos: tx-demand-capacity-mgmt-frontend tx-demand-capacity-mgmt-backend Followup: https://github.com/eclipse-tractusx/sig-infra/issues/31

[scherersebastian]

Hi @Ruskyy , happy to help. In order to create your projects, I need a Veracode user.

Do you already have a Veracode user or one of your teammates? If no, i need your name in order for me to create one. If you don't want to post your "real" name, you can also share the link to your CX Confluence user profile.

We do not support Sonarcloud. Please create an issue for the system team.

[Ruskyy]

hi, currently neither me or my teammates have a Veracode user, my Confluence profile is as follows: https://confluence.catena-x.net/display/~sergio.figueiredo@cgi.com

[scherersebastian]

I will create your account and Veracode projects. You will receive an email.

[Ruskyy]

Hi, i received it and tested access. How can i set up the VERACODE_API_KEY and VERACODE_API_ID on my secrets ?

[scherersebastian]

They are configured as GitHub organization secrets, means they are aleady configured. All workflows have access to them. See action config files: https://catenax-ng.github.io/docs/security/how-to-integrate-veracode