The latest articles on DEV Community by Shahid Saddique (@shahidsaddique). https://dev.to/shahidsaddique https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3996466%2F259d1627-7592-4189-b92b-b831365b0476.png https://dev.to/shahidsaddique en Shahid Saddique Mon, 22 Jun 2026 08:11:32 +0000 https://dev.to/shahidsaddique/building-a-zero-dependency-python-parser-to-convert-veracode-sast-json-to-html-dashboards-27ke https://dev.to/shahidsaddique/building-a-zero-dependency-python-parser-to-convert-veracode-sast-json-to-html-dashboards-27ke <p>In enterprise DevSecOps pipelines, velocity is everything. While running static application security testing (SAST) tools like Veracode inside containerized CI/CD runners is crucial for catching vulnerabilities early, dealing with the raw artifact data can be a bottleneck. </p> <p>By default, high-velocity pipeline scans output a heavy, nested <code>results.json</code> file. Expecting developers or QA leads to dig through thousands of lines of raw JSON during a broken build step slows down remediation cycles.</p> <p>To solve this, I built a lightweight, zero-dependency Python automation script that parses raw Veracode JSON data and instantly outputs a beautifully styled, responsive Bootstrap 5 HTML reporting dashboard.</p> <blockquote> <p>📊 <strong>Full Engineering Architecture &amp; Implementation Details:</strong> &gt; For the complete step-by-step framework setup, local directory structures, and advanced break-build pipeline rules, check out the full guide on my portfolio:<br><br> <strong><a href="https://shahidsaddique.com/projects/veracode/veracode-pipeline-scan" rel="noopener noreferrer">Veracode SAST Pipeline Scan Automation Guide</a></strong></p> </blockquote> <h2> 🚀 Why Go Zero-Dependency? </h2> <p>When writing automated tasks for ephemeral CI/CD runners (like GitHub Actions, GitLab CI, or Bitbucket Pipelines), minimizing container setup time is critical. </p> <p>Using external libraries like <code>pandas</code> or <code>requests</code> requires a <code>pip install</code> phase. This consumes precious build minutes, requires internet access within isolated runners, and introduces third-party dependency vulnerabilities. </p> <p>This parser uses nothing but Python's built-in <code>json</code> and <code>os</code> libraries, meaning it executes in <strong>milliseconds</strong> on any minimal container base (like Python-slim or Alpine).</p> <h2> 🛠️ The Core Logic Blueprint </h2> <p>The parsing script executes three main tasks:</p> <ol> <li> <strong>Validation &amp; Ingestion:</strong> Safely checks for the existence of the compilation artifact (<code>results.json</code>).</li> <li> <strong>Metrics Aggregation:</strong> Tallies up total vulnerabilities and segments them into priority levels (High/Critical vs. Medium vs. Low) based on Veracode's severity weights.</li> <li> <strong>Semantic HTML Synthesis:</strong> Flushes the parsed findings arrays into an optimized, self-contained Bootstrap 5 table component.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> python # Quick snippet showing the data extraction layer total_flaws = len(findings) high_flaws = sum(1 for f in findings if f.get("severity") &gt;= 4) med_flaws = sum(1 for f in findings if f.get("severity") == 3) low_flaws = sum(1 for f in findings if f.get("severity") &lt;= 2) </code></pre> </div> devsecops automation python cicd