Fixes and enhancements

.github/workflows/binary-ready-veracode-sast-pipeline-scan.yml

@@ -208,4 +208,4 @@ jobs:
                 -H "Accept: application/vnd.github+json" \
                 https://api.github.com/repos/${{ github.event.client_payload.repository.owner }}/${{ github.event.client_payload.repository.name }}/check-runs/${{ needs.register.outputs.run_id }} \
                 -d @"payload.txt"
-            done
+            done

.github/workflows/binary-ready-veracode-sast-policy-scan.yml

@@ -11,7 +11,13 @@ on:
     types: [binary-ready-veracode-sast-policy-scan]
 
 jobs:
+  cleanup:
+    uses: ./.github/workflows/veracode-clean-up.yml
+    with:
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+
   register:
+    needs: cleanup
     uses: ./.github/workflows/veracode-check-run.yml
     with:
       check_run_name: ${{ github.workflow }}
@@ -74,7 +80,7 @@ jobs:
           path: ./veracode_artifact_directory
 
       - name: Veracode Upload and Scan Action Step
-        uses: veracode/uploadandscan-action@v0.1.9
+        uses: veracode/uploadandscan-action@v0.2.0
         id: upload_and_scan
         with:
           vid: '${{ secrets.VERACODE_API_ID }}'
@@ -88,6 +94,8 @@ jobs:
           scantimeout: 30
           failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
           deleteincompletescan: true
+          workflowApp: true
+          debug: ${{ github.event.client_payload.user_config.debug }}
 
       - name: Veracode Policy Results
         id: prepare-results
@@ -176,4 +184,4 @@ jobs:
           repo_owner: ${{ github.event.client_payload.repository.owner }}
           github-token: ${{ github.event.client_payload.token }}
           repo_name: ${{ github.event.client_payload.repository.name }}
-          commitHash: ${{ github.event.client_payload.sha }}
+          commitHash: ${{ github.event.client_payload.sha }}

.github/workflows/binary-ready-veracode-sast-sandbox-scan.yml

@@ -11,7 +11,13 @@ on:
     types: [binary-ready-veracode-sast-sandbox-scan]
 
 jobs:
+  cleanup:
+    uses: ./.github/workflows/veracode-clean-up.yml
+    with:
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+
   sandbox_scan:
+    needs: cleanup
     runs-on: ${{ fromJSON(github.event.client_payload.user_config.default_runs_on) }}
     steps:
       - name: Download artifact
@@ -26,7 +32,7 @@ jobs:
 
       - name: Veracode Upload and Scan Action Step
         id: upload_and_scan
-        uses: veracode/uploadandscan-action@v0.1.9
+        uses: veracode/uploadandscan-action@v0.2.0
         with:
           appname: ${{ github.event.client_payload.user_config.profile_name }}
           createprofile: true
@@ -39,4 +45,6 @@ jobs:
           sandboxname: GitHub App Scans-${{ github.event.client_payload.repository.branch }}
           # include: ${{ github.event.client_payload.modules_to_scan }}
           failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
-          deleteincompletescan: true
+          deleteincompletescan: true
+          workflowApp: true
+          debug: ${{ github.event.client_payload.user_config.debug }}

.github/workflows/veracode-build-artifact-for-scanning.yml

@@ -33,6 +33,9 @@ on:
       default_runs_on:
         required: true
         type: string
+      debug:
+        required: false
+        type: string
 
 jobs:
   build:
@@ -49,6 +52,7 @@ jobs:
       bundle_version: ${{ inputs.bundle_version }}
       event_name: ${{ inputs.event_name }}
       default_runs_on: ${{ inputs.default_runs_on }}
+      debug: ${{ inputs.debug }}
 
   build-tsql-package:
     if: ${{ inputs.event_name == 'tsql-pipeline-scan' || inputs.event_name == 'tsql-policy-scan'  || inputs.event_name == 'tsql-sandbox-scan'}}
@@ -84,4 +88,4 @@ jobs:
       repository: ${{ inputs.repository }}
       ref: ${{ inputs.ref }}
       token: ${{ inputs.token }}
-      default_runs_on: ${{ inputs.default_runs_on }}
+      default_runs_on: ${{ inputs.default_runs_on }}

.github/workflows/veracode-check-run.yml

@@ -61,7 +61,7 @@ jobs:
           INPUT_NAME: ${{ inputs.check_run_name }}
           INPUT_HEAD_SHA: ${{ inputs.head_sha }}
           INPUT_DETAILS_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ inputs.run_id }}"
- 
+
       - name: Create metadata
         id: create-metadata-json
         run: |
@@ -79,4 +79,4 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: workflow-metadata
-          path: workflow-metadata.json
+          path: workflow-metadata.json

.github/workflows/veracode-clean-up.yml

@@ -14,7 +14,7 @@ jobs:
         if: contains(runner.os, 'Linux')
         run: |
           echo "Running final cleanup..."
-          sudo rm -rf $GITHUB_WORKSPACE/
+          sudo rm -rf $GITHUB_WORKSPACE/*
 
       - name: Cleanup workspace and Docker - Windows
         if: contains(runner.os, 'Windows')

.github/workflows/veracode-code-analysis.yml

@@ -33,7 +33,13 @@ on:
       - ruby-policy-scan
 
 jobs:
+  cleanup:
+    uses: ./.github/workflows/veracode-clean-up.yml
+    with:
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+
   register:
+    needs: cleanup
     uses: ./.github/workflows/veracode-check-run.yml
     with:
       check_run_name: ${{ github.workflow }} - ${{ contains(github.event.action, 'policy') && 'Policy' || 'Pipeline' }}
@@ -95,6 +101,7 @@ jobs:
       ruby_version: ${{ github.event.client_payload.user_config.ruby_version }}
       bundle_version: ${{ github.event.client_payload.user_config.bundle_version }}
       default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+      debug: ${{ github.event.client_payload.user_config.debug }}
 
   pipeline_scan:
     # needs the build step before this job will start running
@@ -118,6 +125,7 @@ jobs:
       filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
       language: ${{ github.event.client_payload.repository.language }}
       default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+      debug: ${{ github.event.client_payload.user_config.debug }}
     secrets: inherit
 
   policy_scan:
@@ -142,4 +150,5 @@ jobs:
       filter_mitigated_flaws: ${{ github.event.client_payload.user_config.filter_mitigated_flaws }}
       language: ${{ github.event.client_payload.repository.language }}
       default_runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
-    secrets: inherit
+      debug: ${{ github.event.client_payload.user_config.debug }}
+    secrets: inherit

.github/workflows/veracode-default-build.yml

@@ -32,6 +32,9 @@ on:
       default_runs_on:
         required: true
         type: string
+      debug:
+        required: false
+        type: string
 
 jobs:
   build-prepare:
@@ -103,7 +106,14 @@ jobs:
             bundle install
             cd ..
           fi
-          veracode package --source source-code --output veracode-artifacts --trust --verbose
+          PACKAGE_CMD="veracode package --source source-code --output veracode-artifacts --trust"
+
+          if [[ "${{ inputs.debug }}" == "true" ]]; then
+            PACKAGE_CMD="$PACKAGE_CMD --verbose"
+          fi
+
+          echo "Running: $PACKAGE_CMD"
+          eval "$PACKAGE_CMD"
 
       # ---------------- Error handler ----------------
       - name: Package error
@@ -185,7 +195,19 @@ jobs:
         run: |
           $working_path = (Get-Location).Path
           "working_dir=$working_path" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
-          & $env:VERACODE_CLI package --source source-code --output veracode-artifacts --trust --verbose
+          $packageArgs = @(
+            "package",
+            "--source", "source-code",
+            "--output", "veracode-artifacts",
+            "--trust"
+          )
+
+          if ("${{ inputs.debug }}" -eq "true") {
+            $packageArgs += "--verbose"
+          }
+
+          Write-Host "Running: veracode $($packageArgs -join ' ')"
+          & $env:VERACODE_CLI @packageArgs
 
       # ---------------- Error handler ----------------
       - name: Package error
@@ -198,4 +220,4 @@ jobs:
         with:
           name: veracode-artifact
           path: "${{ steps.application_package_windows.outputs.working_dir }}/veracode-artifacts/*"
-          if-no-files-found: error
+          if-no-files-found: error

.github/workflows/veracode-iac-secrets-scan.yml

@@ -11,7 +11,13 @@ on:
     types: [veracode-iac-secrets-scan]
 
 jobs:
+  cleanup:
+    uses: ./.github/workflows/veracode-clean-up.yml
+    with:
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+
   register:
+    needs: cleanup
     uses: ./.github/workflows/veracode-check-run.yml
     with:
       check_run_name: ${{ github.workflow }}
@@ -52,22 +58,16 @@ jobs:
           repository: ${{ github.event.client_payload.repository.full_name }}
           ref: ${{ github.event.client_payload.sha }}
           token: ${{ github.event.client_payload.token }}
+
       - name: Run Veracode IaC/Secrets Scanning
-        uses: veracode/container_iac_secrets_scanning@v1.0.6
+        uses: veracode/container_iac_secrets_scanning@v1.0.7
         with:
             vid: ${{ secrets.VERACODE_API_ID }}
             vkey: ${{ secrets.VERACODE_API_KEY }}
             command: "scan" 
             type: "directory"
             source: "./"
             format: "json"
-            debug: false
+            debug: ${{ github.event.client_payload.user_config.debug }}
             fail_build: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
             fail_build_on_error: ${{ github.event.client_payload.user_config.break_build_on_error }}
-
-  cleanup:
-    needs: veracode-iac-secrets-scan
-    if: always()
-    uses: ./.github/workflows/veracode-clean-up.yml
-    with:
-      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}

.github/workflows/veracode-pipeline-scan.yml

@@ -51,6 +51,9 @@ on:
       default_runs_on:
         required: true
         type: string
+      debug:
+        required: false
+        type: string
 
 jobs:
   prepare_pipeline_scan:
@@ -120,7 +123,7 @@ jobs:
           json_output_file: ${{ strategy.job-index }}-results.json
           filtered_json_output_file: ${{ strategy.job-index }}-filtered_results.json
           artifact_name: ${{ matrix.file }}
-          debug: 1
+          debug: ${{ inputs.debug == true && '1' || '0' }}
           workflow_app: true
 
       - name: Veracode Pipeline Results
@@ -195,11 +198,4 @@ jobs:
                 -H "Accept: application/vnd.github+json" \
                 https://api.github.com/repos/${{ inputs.owner }}/${{ inputs.repo }}/check-runs/${{ inputs.check_run_id }} \
                 -d @"payload.txt"
-            done
-
-  cleanup:
-    needs: update-checks-status
-    if: always()
-    uses: ./.github/workflows/veracode-clean-up.yml
-    with:
-      runs_on: ${{ inputs.default_runs_on }}
+            done

.github/workflows/veracode-policy-scan.yml

@@ -54,6 +54,9 @@ on:
       default_runs_on:
         required: true
         type: string
+      debug:
+        required: false
+        type: string
 
 jobs:
   policy_scan:
@@ -71,14 +74,14 @@ jobs:
           name: veracode-artifact
           path: ./veracode_artifact_directory
 
-      - name: set version
+      - name: Set version
         shell: bash
         run: |
           echo "VERSION=${{ github.run_id }}-$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_ENV
 
       # run the policy scan action
       - name: Veracode Upload and Scan Action Step
-        uses: veracode/uploadandscan-action@v0.1.9
+        uses: veracode/uploadandscan-action@v0.2.0
         id: upload_and_scan
         with:
           appname: ${{ inputs.profile_name }}
@@ -94,6 +97,8 @@ jobs:
           failbuild: ${{ inputs.break_build_policy_findings }}
           gitRepositoryUrl: ${{ github.server_url }}/${{ inputs.source_repository }}
           deleteincompletescan: true
+          workflowApp: true
+          debug: ${{ inputs.debug }}
 
       - name: Veracode Policy Results
         id: prepare-results
@@ -183,10 +188,3 @@ jobs:
           repo_name: ${{ inputs.repo }}
           github-token: ${{ inputs.token }}
           commitHash: ${{ inputs.sha }}
-
-  cleanup:
-    needs: [policy_scan, veracode-remove-sandbox, code-scanning-alert, create-issues]
-    if: always()
-    uses: ./.github/workflows/veracode-clean-up.yml
-    with:
-      runs_on: ${{ inputs.default_runs_on }}

.github/workflows/veracode-remove-sandbox.yml

@@ -50,4 +50,4 @@ jobs:
     if: always()
     uses: ./.github/workflows/veracode-clean-up.yml
     with:
-      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}

.github/workflows/veracode-sandbox-scan.yml

@@ -21,7 +21,13 @@ on:
       - ruby-sandbox-scan
 
 jobs:
+  cleanup:
+    uses: ./.github/workflows/veracode-clean-up.yml
+    with:
+      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+
   build:
+    needs: cleanup
     uses: ./.github/workflows/veracode-build-artifact-for-scanning.yml
     with:
       repository: ${{ github.event.client_payload.repository.full_name }}
@@ -53,7 +59,7 @@ jobs:
 
       # run the policy scan action
       - name: Veracode Upload and Scan Action Step
-        uses: veracode/uploadandscan-action@v0.1.9
+        uses: veracode/uploadandscan-action@v0.2.0
         id: upload_and_scan
         with:
           appname: ${{ github.event.client_payload.user_config.profile_name }}
@@ -68,10 +74,5 @@ jobs:
           failbuild: ${{ github.event.client_payload.user_config.break_build_policy_findings }}
           gitRepositoryUrl: ${{ github.server_url }}/${{ github.event.client_payload.repository.full_name }}
           deleteincompletescan: true
-
-  cleanup:
-    needs: sandbox_scan
-    if: always()
-    uses: ./.github/workflows/veracode-clean-up.yml
-    with:
-      runs_on: ${{ github.event.client_payload.user_config.default_runs_on }}
+          workflowApp: true
+          debug: ${{ github.event.client_payload.user_config.debug }}