Veracode boosts package firewall to block malicious code

Veracode has added new controls and developer integrations to its application risk management platform, with an emphasis on blocking malicious software packages before they reach development environments.

The company said the update includes Package Firewall enhancements and wider platform changes across static analysis, software composition analysis and dynamic application security testing. Veracode cited a rise in software supply chain incidents and a growing proportion of breaches linked to third parties.

Supply chain security has become a priority for software teams that rely on open-source and third-party components. Attackers have increasingly targeted package registries and developer tooling, including by publishing malicious packages that can be pulled into builds.

Package controls

Veracode positioned Package Firewall as a preventive layer for software supply chains. The product focuses on screening packages at the point they enter a development environment, rather than only identifying known issues after a component has already been adopted.

Veracode said Package Firewall now integrates with Azure Artifacts. It also supports integrations with package managers and repositories including NPM, PyPI, Maven, Nexus and Artifactory.

The company also highlighted policy configuration for organisations that want to set internal standards for package use. Veracode said teams can configure rules based on risk profiles, vulnerability thresholds and other security requirements.

Tim Jarrett, Vice President of Product at Veracode, said the increase in development complexity has changed the demands on security and engineering teams.

"The growing attack surface has created an unprecedented level of complexity for security and development teams," said Tim Jarrett, Vice President of Product at Veracode. "The latest enhancements to our platform empower organizations to stop third-party risk from ever entering their software code, providing them with a prevention-first approach."

Testing updates

Veracode also described changes across its testing products. The company said recent releases improved detection accuracy, and it listed additions across DAST, SCA and static analysis.

For Dynamic Application Security Testing, Veracode said DAST Essentials gained manual application linking. The company said this allows policy evaluation and consolidated reporting.

For Software Composition Analysis, Veracode said it added "intelligent policies" that fail builds only when fixes are available for vulnerable components. The company described the change as a way to reduce disruption during development workflows.

Veracode also said it expanded Static Analysis support for newer frameworks and runtimes. It listed .NET Semantic Kernel, AWS Glue and FastAPI for Python, Java JDK 25 (LTS) and Node.js 22.x.

Developer tools

The update also included changes to integrations that connect security findings into developer environments. Veracode cited updates for Visual Studio, JetBrains, Azure DevOps and GitHub.

Separately, Veracode said it expanded Veracode Security Labs content. The company said new modules cover container security and the latest OWASP Top 10.

Access control

Veracode also announced changes in authentication and access control for developer tools. The company said it added deeper role-based access control to Veracode Risk Manager.

It also said it introduced OAuth-based single sign-on across its integrated development environment plugin portfolio. Veracode listed Visual Studio Code, Visual Studio, Eclipse and JetBrains platforms.

The company said the move removes the need for application programming interface key management and centralises access control for these plugins.

Jarrett said Veracode focused on changes that reflect customer feedback across 2025.

"Our mission is to empower organizations to enhance their security posture, bridge critical skills gaps, and accelerate remediation-all within a unified, integrated platform. By listening closely to our customers, we continuously evolved Veracode's platform in 2025 to meet their needs, enabling them to drive faster, more secure DevSecOps practices," said Jarrett.