Integrate Static Analysis in your CI/CD with the CLI
You can integrate the Veracode CLI with your CI/CD pipelines to identify security flaws as part of the software development process.
You add a job to your pipeline that runs the static scan
command. This
command causes the job to fail if the analysis finds flaws that match your specified criteria.
Getting started
Locate a project you want to scan and ensure it meets the packaging requirements. If you do not have a project to scan,
Veracode provides the demo applications VeraDemoDotNet
and VeraDemo on GitHub that you can use for testing purposes.
To get started using static analysis scanning in a pipeline, follow these steps:
1. Get API credentials
Before using the following examples, the Veracode CLI requires you to have working API credentials. After generating credentials, you must configure them with the CLI. The examples below use environment variables, but you can use a configuration file as well. Veracode recommends that you store the credentials as secrets or masked variables depending on your CI/CD platform.
2. Build your code
Before you can scan, you must build and package your code. See the packaging requirements to determine the necessary steps. Then, in your pipeline, add a stage for the build process and pass the build artifacts to the scan job.
3. Scan your code
Before you can run a scan, you must install the CLI.
Then run a scan:
./veracode static scan <source> [flags]
You use flags
to configure the scan. For example, you can add a flag to fail the job when the scan finds flaws. For the list of flags, see the static scan
command.
Examples
The following examples show how to set up a static analysis scan job for common CI/CD platforms:
Azure DevOps
trigger:
- main
pool:
vmImage: "ubuntu-latest"
steps:
- task:
# build here
- task: CmdLine@2
displayName: Veracode static scan
inputs:
script: |
curl -fsS https://tools.veracode.com/veracode-cli/install | sh
./veracode static scan verademo.war
env:
VERACODE_API_KEY_ID: $(myVeracodeId)
VERACODE_API_KEY_SECRET: $(myVeracodeSecret)
GitHub
name: static-scan
on: push
jobs:
build:
# build here
static-scan:
runs-on: ubuntu-latest
steps:
- name: Download Veracode CLI
uses: wei/curl@master
with:
args: -fsS https://tools.veracode.com/veracode-cli/install | sh
- name: Run a static scan
run: ./veracode static scan verademo.war
env:
VERACODE_API_KEY_ID: ${{ secrets.myVeracodeId }}
VERACODE_API_KEY_SECRET: ${{ secrets.myVeracodeSecret }}
GitLab
image: ubuntu-latest
stages:
- build
- scan
build_job:
# build here
static_scan:
stage: scan
dependencies:
- build_job
script:
- curl -fsS https://tools.veracode.com/veracode-cli/install | sh
- ./veracode static scan verademo.war
variables:
VERACODE_API_KEY_ID: ${myVeracodeId}
VERACODE_API_KEY_SECRET: ${myVeracodeSecret}
Jenkins
pipeline {
agent { label <'ubuntu-latest'> }
environment {
VERACODE_API_KEY_ID = '${myVeracodeId}'
VERACODE_API_KEY_SECRET = '${myVeracodeSecret}'
}
stages {
stage('Build') {
// build here
}
stage('Veracode static scan') {
steps {
sh 'curl -fsS https://tools.veracode.com/veracode-cli/install | sh'
sh './veracode static scan verademo.war'
}
}
}
}
Configure GitLab to generate issues
To use the --gl-issue-generation
flag with the veracode static scan
command to automatically generate issues in GitLab from discovered flaws, you must create a GitLab access token. For Java applications, you must also add environment variables in GitLab for the base directories.
Create an access token
To enable the Veracode CLI to generate GitLab issues from discovered flaws, create a GitLab access token and add it as an environment variable in your GitLab project.
To complete this task:
- Select Edit Profile > Access Tokens > Create personal access token.
- Ensure that the token has a scope of
api
. See the GitLab documentation. - Select Settings > CI/CD > Variables and store the token you created as an environment variable named
PRIVATE_TOKEN
.
Add environment variables for Java applications
To use the --gl-issue-generation
flag to generate issues for Java applications, add environment variables for the GitLab base directories.
To complete this task:
- In GitLab, go to your project and select Settings > CI/CD > Variables.
- Add the following environment variables:
-
SRC_ROOT
: the filepath typically is/src/main/java/
. -
JSP_ROOT
: the filepath typically is/src/main/webapp/
.
-
Add a GITLAB_URL
variable for custom domains
To use the --gl-issue-generation
flag with a custom domain, in your project, add a GITLAB_URL
CI/CD variable for the base URL. For example:
GITLAB_URL=https://{CUSTOM_URL}/api/v4/projects/
The default value is https://gitlab.com/api/v4/projects/