veracode package
Packages project code as an artifact for Veracode Static Analysis.
Syntax
./veracode package [flags]
Flags
| Flag | Description |
|---|---|
-d, --debug | Display verbose output. |
-h, --help | Return help content for veracode package. |
-o, --output string | Output directory to place the output artifact file on your local system. Default is the local working directory. |
-s, --source string | Location of the source to package based on the target --type. If the target is directory, enter the path to a local directory. If the target is repo, enter the URL to a Git version control system. If you enter a repository URL, the package command clones the repository to a temporary directory on the local file system, then packages the code in the clone. After packaging the source, Veracode deletes the clone. |
-a, --trust | Allow trusted/authorized source. |
-t, --type string | Target type you want to package. Values are repo or directory. Default is directory. |
Examples
To package a local trusted project and place the output in the current (root) directory, run:
./veracode package --trust
To package a local directory and place the output in a different directory, run:
./veracode package --source path/to/project --output path/to/output/dir
The first time you run the command on a project you must acknowledge that you trust the authors of the project. To package source for a GitHub repository that you trust and place the output in the current directory, run:
./veracode package --source https://github.com/veracode/verademo --type repo --trust
How this command improves packaging
When you package your code manually, some languages require you to compile the code or execute tools or scripts. Using open-source tools might introduce potential risks that can leave you open to malicious code execution and exploits.
The package command provides an extra layer of security, particularly when you are working with unfamiliar code, by preventing the packager from running unless you explicitly grant it permission to run. To grant permission to the packager, the CLI displays a prompt for you to confirm that you trust the authors of the code. You can also use include the --trust flag in your command.
Supported languages
Java, JavaScript, and Python