|
| 1 | +# Veracode AI Analysis Layer |
| 2 | + |
| 3 | +A model-agnostic pipeline that sits on top of the Veracode scripts and adds |
| 4 | +**cross-scan correlation**, **AI-assisted false-positive reduction**, and |
| 5 | +**risk chaining** using one or more Claude models. |
| 6 | + |
| 7 | +It is built so that **Claude Mythos 5 and future frontier models can be |
| 8 | +switched on with a config edit** — no code changes — to validate and feed |
| 9 | +into the results, reduce false positives, and surface a deeper breadth of |
| 10 | +chained findings. |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +## What it does |
| 15 | + |
| 16 | +``` |
| 17 | + Veracode scans AI Analysis Layer Output |
| 18 | +┌──────────────┐ normalize ┌────────────────────────────┐ ┌──────────────┐ |
| 19 | +│ SAST (STATIC)│──────────────▶│ 1. Correlate (deterministic)│ │ risk chains │ |
| 20 | +│ DAST │ │ 2. Validate (model panel) │──▶│ FP verdicts │ |
| 21 | +│ SCA │ │ 3. Chain (model) │ │ correlations │ |
| 22 | +│ Container │ └────────────────────────────┘ └──────────────┘ |
| 23 | +└──────────────┘ driven entirely by models.json |
| 24 | +``` |
| 25 | + |
| 26 | +1. **Normalize** every scan type into one `UnifiedFinding` shape. |
| 27 | +2. **Correlate** (offline, rule-based — runs in CI with no API key): |
| 28 | + - **cross-layer confirmation** — same CWE found by SAST *and* DAST (present in code *and* reachable at runtime) |
| 29 | + - **common flaw source** — static findings sharing a data-path source (fix once, remediate many) |
| 30 | + - **shared CVE** — the same CVE in both SCA and container scans (confirmed in the deployed artifact) |
| 31 | + - **dependency usage** — a vulnerable SCA component referenced by first-party flawed code |
| 32 | +3. **Validate** — every enabled validator model independently tries to *refute* |
| 33 | + each finding; a consensus quorum decides confirmed vs. likely-false-positive. |
| 34 | +4. **Chain** — a chain-role model composes correlated findings into ordered |
| 35 | + attack paths with combined severity, remediation order, and a recommended |
| 36 | + security-training topic. |
| 37 | + |
| 38 | +--- |
| 39 | + |
| 40 | +## Onboarding a new frontier model (Mythos / next model) |
| 41 | + |
| 42 | +Edit [`models.json`](models.json) — set `"enabled": true`. That's the whole change. |
| 43 | + |
| 44 | +```jsonc |
| 45 | +"mythos": { |
| 46 | + "id": "claude-mythos-5", |
| 47 | + "enabled": true, // ← flip this on |
| 48 | + "thinking": "omit", // Fable/Mythos: thinking always on, send no config |
| 49 | + "effort": "xhigh", |
| 50 | + "max_tokens": 16000, |
| 51 | + "fallback_model": "claude-opus-4-8", // refusal fallback via server-side beta |
| 52 | + "roles": ["deep-validate", "chain", "second-opinion"] |
| 53 | +} |
| 54 | +``` |
| 55 | + |
| 56 | +The new model immediately: |
| 57 | +- joins the **validator panel** (a `deep-validate` vote runs alongside the existing votes), |
| 58 | +- runs in the **chain stage** (its chains are tagged with its model id so you can compare), |
| 59 | +- and requests are shaped correctly for its family (adaptive thinking vs. omit, |
| 60 | + effort level, server-side refusal fallback). |
| 61 | + |
| 62 | +A model that isn't served yet (404) is disabled for that run and the pipeline |
| 63 | +degrades gracefully — so you can enable a registry entry ahead of GA without |
| 64 | +breaking CI. |
| 65 | + |
| 66 | +**Roles**: `triage`, `validate`, `deep-validate`, `correlate`, `chain`, `second-opinion`. |
| 67 | + |
| 68 | +--- |
| 69 | + |
| 70 | +## Operational hooks |
| 71 | + |
| 72 | +Every stage fires a hook so external tooling — including a future frontier |
| 73 | +model running *alongside* the pipeline — can observe or transform the data |
| 74 | +without editing pipeline code: |
| 75 | + |
| 76 | +```python |
| 77 | +from veracode_ai.hooks import hooks |
| 78 | + |
| 79 | +@hooks.register("post_validate") |
| 80 | +def route_low_confidence(payload): |
| 81 | + # payload = {"finding": ..., "verdict": ..., "votes": [...]} |
| 82 | + # e.g. send split-vote findings to a frontier model for a second opinion |
| 83 | + return payload |
| 84 | +``` |
| 85 | + |
| 86 | +Hook points, in order: `pre_ingest`, `post_normalize`, `pre_correlate`, |
| 87 | +`post_correlate`, `pre_validate`, `post_validate`, `pre_chain`, `post_chain`, |
| 88 | +`report`. |
| 89 | + |
| 90 | +--- |
| 91 | + |
| 92 | +## Usage |
| 93 | + |
| 94 | +```bash |
| 95 | +# Offline correlation only — no API key, CI-safe |
| 96 | +python analyze.py --rest findings.json --offline -o report.json |
| 97 | + |
| 98 | +# Full pipeline: correlate + FP-reduce + risk-chain |
| 99 | +export ANTHROPIC_API_KEY=... |
| 100 | +python analyze.py \ |
| 101 | + --rest findings.json \ |
| 102 | + --container image-scan.json \ |
| 103 | + -o report.json |
| 104 | + |
| 105 | +# Show the enabled model roster |
| 106 | +python analyze.py --print-models |
| 107 | +``` |
| 108 | + |
| 109 | +`--rest` takes a Veracode REST Findings API response |
| 110 | +(`GET /appsec/v2/applications/{guid}/findings`, any scan type). `--container` |
| 111 | +takes Veracode CLI container scan JSON. |
| 112 | + |
| 113 | +### As a library |
| 114 | + |
| 115 | +```python |
| 116 | +from veracode_ai import load_registry |
| 117 | +from veracode_ai.pipeline import Pipeline |
| 118 | +from veracode_ai.providers import Provider |
| 119 | + |
| 120 | +pipeline = Pipeline(registry=load_registry(), provider=Provider()) |
| 121 | +report = pipeline.analyze({"rest": "findings.json", "container": "image.json"}) |
| 122 | +``` |
| 123 | + |
| 124 | +--- |
| 125 | + |
| 126 | +## Design notes |
| 127 | + |
| 128 | +- **Model-agnostic**: no model id is hard-coded in the pipeline; everything |
| 129 | + comes from `models.json` via the registry. |
| 130 | +- **Structured outputs**: every model call uses `output_config.format` |
| 131 | + (`json_schema`), so responses are guaranteed-parseable — no fragile text scraping. |
| 132 | +- **Family-aware requests**: `providers.py` sends `thinking={"type":"adaptive"}` |
| 133 | + for Opus/Sonnet, omits `thinking` entirely for Fable/Mythos (where it's always |
| 134 | + on), and attaches server-side refusal fallbacks when a `fallback_model` is set. |
| 135 | +- **Adversarial validation**: validators are prompted to *refute* findings, and |
| 136 | + a finding only becomes a likely-FP on a quorum — biased toward not silently |
| 137 | + dropping real bugs. |
| 138 | +- **Offline-first**: correlation needs only the standard library, so it runs in |
| 139 | + every CI job; the model stages are additive. |
| 140 | + |
| 141 | +Requirements: `pip install -r requirements.txt` (only needed for the |
| 142 | +validate/chain stages; correlation is stdlib-only). |
0 commit comments