About auto-packaging

Veracode auto-packaging automates the process of packaging your projects for Static Analysis and Software Composition Analysis (SCA) upload and scan. By automating packaging, you can reduce the burden on your teams to correctly package projects manually, while also ensuring more accurate and consistent scan results.

How auto-packaging helps developers

Saves time and effort, compared to manual packaging, by eliminating manual steps, such as gathering files and dependencies, configuring build settings, and packaging artifacts.
Ensures a consistent build process across different environments and platforms. This reduces the risk of discrepancies or errors that can occur when developers manually change the build configurations or there are variations across the configurations.
Reduces human errors that can occur when developers package projects manually. This improves the accuracy and reliability of the generated artifacts, which ensures that the Static Analysis results are accurate.
Enables scalability by facilitating the rapid and efficient generation of artifacts for analysis across multiple code repositories, projects, or teams. This scalability is essential for organizations managing large and complex codebases.
Reduces the time and resources developers spend securing their code, which allows them to focus on writing new code, implementing features, or addressing critical issues. Developers can increase their productivity and accelerate the time-to-market for software products and updates.

How auto-packaging works

The auto-packager runs on your repository to package your projects into artifacts (archive files) that you can upload to the Veracode Platform. To correctly package a project for Static Analysis or SCA upload and scan, the auto-packager automatically detects the required components and configurations for each supported language.

Packaged artifacts

The auto-packager packages your projects into archive files, such as ZIP, JAR, WAR or EAR, called artifacts. During the packaging process, the auto-packager might create multiple artifacts that it includes in the final artifacts. For example, multiple DLL files inside the final ZIP file. The final artifacts are the complete, packaged archive files that you can upload to Veracode and scan separately.

The following table lists examples of the filename format of the final artifacts for each supported language.

Artifact language	Language tag	Language suffix tag	Example filename
.NET assemblies	`dotnet`	None	`veracode-auto-pack-Web-dotnet.zip`
.NET with JavaScript	`dotnet`	`js`	`veracode-auto-pack-Web-dotnet-js.zip`
Go	`go`	None	`veracode-auto-pack-evil-app-go.zip`
iOS with Xarchive	`ios`	`xcarchive`	`veracode-auto-pack-duckduckgo-ios-xcarchive.zip`
iOS with CocoaPods	`ios`	`podfile`	`veracode-auto-pack-signal-ios-podfile.zip`
Java with Gradle	None	None	Defined by your `gradle.build` file.
Java with Maven	None	None	Defined by your `pom.xml` file.
JavaScript	`js`	None	`veracode-auto-pack-NodeGoat-js.zip`
Kotlin	None	None	The filenames of Java artifacts are defined by your `gradle.build` file.
PHP	`php`	None	`veracode-auto-pack-captainhook-php.zip`
Python	`python`	None	`veracode-auto-pack-dvsa-python.zip`
Ruby	`ruby`	None	`veracode-auto-pack-railsgoat-ruby.zip`
Scala	None	None	The filenames of Java artifacts are defined by your SBT build properties.

Account requirements

To use the auto-packager, you do not need a Veracode account.

Supported integrations

Auto-packaging is integrated with the following products:

Veracode CLI to integrate auto-packaging in your development environment.
Veracode GitHub Workflow Integration to automate repo scanning with GitHub Actions. The auto-packager only supports Java projects.
Veracode Scan for VS Code to auto-package applications, scan, and remediate findings in your IDE.

Integrate auto-packaging

You can integrate the auto-packager with your local build environment or CI/CD. For example, to add auto-packaging to your build pipelines, you could add the CLI command veracode package to your development toolchains or build scripts.

You might need to install one or more of the following tools in your environment:

A build automation tool that defines build scripts or configurations that specify how to manage dependencies, compile source code, and package code as artifacts.
A dependency management system to effectively handle project dependencies.
A compiler that builds source code into executable code.

Supported languages

If the auto-packager does not support specific versions, or it relies on a version supported by your packager manager, the Versions column shows Not applicable.

Language	Versions	Package managers
.NET	.NET 6, 7, or 8. Not supported: MAUI and .NET Framework	All
Go	1.14 - 1.22	Go Modules
iOS	Not applicable	All
Java (select from the Package managers column)	A JDK version that you have tested to build your project.	Gradle, Maven
JavaScript	Not applicable	NPM, Yarn
Kotlin	A JDK version that you have tested to build your project.	Gradle, Maven
PHP	Not applicable	Composer
Python	Not applicable	Pip, Pipenv, setuptools, virtualenv
Ruby on Rails	Ruby 2.4 or greater	Bundler
Scala	A JDK version that you have tested to build your project.	Gradle, Maven, sbt

About the examples

Under each supported language, the Veracode CLI commands and output examples demonstrate the packaging process when you run the veracode package command. You can use the auto-packager with various integrations, but the CLI output examples help you visualize the packaging process. All examples assume the location of the CLI executable is in your PATH. You might see different output in your environment.

.NET

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- A supported version of .NET.
- PATH environment variable that points to the dotnet or msbuild command.
Your projects must:
- Contain at least one syntactically correct .csproj file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

Recursively searches your repo for all .csproj submodules.

To publish the project, runs the following command:

dotnet publish -c Debug -p:UseAppHost=false -p:SatelliteResourceLanguages='en' -p:WasmEnableWebcil=false -p:BlazorEnableCompression=false

Filters out any test projects.
Packages the published project and saves the artifacts of your packaged project in the specified --output location.

veracode package --source path/to/project/bobs-used-bookstore-sample --output verascan --trust

Packager initiated...

Verifying source project language ...
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Data'. Publish successful.
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Web'. Publish successful.
Project Bookstore.Web zipped and saved to: path\to\verascan\veracode-auto-pack-Bookstore.Web-dotnet.zip
DotNet project Bookstore.Web JavaScript packaged to: path\to\verascan\veracode-auto-pack-Bookstore.Web-dotnet-js.zip
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Cdk'. Publish successful.
Project Bookstore.Cdk zipped and saved to: path\to\verascan\veracode-auto-pack-Bookstore.Cdk-dotnet.zip
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Domain'. Publish successful.
Successfully created 3 artifact(s).
Created DotNet artifacts for DotNetPackager project.
Total time taken to complete command: 11.656s

Go

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have a supported version of Go.
Your projects must:
- Support Go Modules.
- Contain a go.sum file and a go.mod file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To build and package a project, including the source code and the vendor folder, runs the command go mod vendor.
Copies the artifacts of your packaged project to the specified --output location.

veracode package --source path/to/project/sftpgo --output verascan --trust

Packager initiated...

Verifying source project language ...
PPackaging GO artifacts for GoModulesPackager project 'ldapauthserver'. go mod vendor successful.
Go project ldapauthserver packaged to: path/to/verascan/veracode-auto-pack-ldapauthserver-go.zip
Packaging GO artifacts for GoModulesPackager project 'ldapauth'. go mod vendor successful.
Go project ldapauth packaged to: path/to/verascan/veracode-auto-pack-ldapauth-go.zip
Packaging GO artifacts for GoModulesPackager project 'eventsearcher'. go mod vendor successful.
Go project eventsearcher packaged to: path/to/verascan/veracode-auto-pack-eventsearcher-go.zip
Packaging GO artifacts for GoModulesPackager project 'sftpgo-main'. go mod vendor successful.
Go project sftpgo-main packaged to: path/to/verascan/veracode-auto-pack-sftpgo-main-go.zip
Packaging GO artifacts for GoModulesPackager project 'ipfilter'. go mod vendor successful.
Go project ipfilter packaged to: path/to/verascan//veracode-auto-pack-ipfilter-go.zip
Successfully created 5 artifact(s).
Created GoLang artifacts for GoModulesPackager project.
Total time taken to complete command: 22.776s

iOS

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- Xcode and the xcodebuild command-line tool installed.
- gen-ir installed. For example:
```
 # Add the brew tap to your local machine
 brew tap veracode/tap

 # Install the tool
 brew install gen-ir
```
- pod installed, if your projects use CocoaPods or third party tools.
Your projects must compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

Checks that the podfile or podfile.lock files are present.
Runs the command pod install.
Checks that the .xcworkspace or .xcodeproj files are present.

To build and package the project, runs:

xcodebuild clean archive -PROJECT/WORKSPACE filePath -scheme SRCCLR_IOS_SCHEME -destination SRCCLR_IOS_DESTINATION -configuration SRCCLR_IOS_CONFIGURATION -archivePath projectName.xcarchive DEBUG_INFORMATION_FORMAT=dwarf-with-dsym ENABLE_BITCODE=NO

The SRCCLR values are optional environment variables you can use to customize the xcodebuild archive command.

Runs gen-ir on the artifact of your packaged project and the log files.
Saves the artifact in the specified --output location.

veracode package --source https://github.com/signalapp/Signal-iOS --type repo --output verascan --trust

Packager initiated...
Verifying source project language ...
Packaging iOS artifacts for IOSPackager project 'MyProject'.
iOS Project MyProject zipped and saved to: path/to/verascan/veracode-auto-pack-MyProject-ios-xcarchive.zip
Successfully created 1 artifact(s).
Created IOS artifacts for IOSPackager project.
Total time taken to complete command: 9.001s

Java with Gradle

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- A JDK version that you tested to successfully compile your application.
- Access to a gradlew command that points to the correct JAVA_HOME directory. If gradlew is not available, ensure the correct Gradle version is installed.
Your projects must:
- Have the correct build.gradle file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To build the Gradle project and package it as a JAR file, runs the command gradlew clean build -x test.
Copies the artifact of your packaged project to the specified --output location.

veracode package --source path/to/project/example-java-gradle --output verascan --trust

Packager initiated...

Verifying source project language ...
Copying Java artifacts for GradlePackager project.
Copied artifact: path/to/verascan/example-java-gradle-1.0-SNAPSHOT.jar.
Successfully created 1 artifact(s).
Created Java artifacts for GradlePackager  project.
Total time taken to complete command: 7.174s

Java with Maven

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- A JDK version that you tested to successfully compile your application.
- Access to a mvn command that points to the correct JAVA_HOME directory.
Your projects must:
- Have the correct pom.xml file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To build and package the Maven project, runs the command mvn clean package.
Copies the artifact, such as JAR, WAR, EAR, of your packaged project to the specified --output location.

veracode package --source path/to/project/example-java-maven --output verascan --trust

Packager initiated...

Verifying source project language ...
Copying Java artifacts for Maven project.
Copied artifact: path/to/verascan/example-java-maven-1.0-SNAPSHOT.jar.
Successfully created 1 artifact(s).
Created Java artifacts for Maven project.
Total time taken to complete command: 6.799s

JavaScript

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- The NPM or Yarn package manager installed.
- The correct Node, NPM, or Yarn version to package the project.
Your projects must:
- Be able to resolve all dependencies with commands npm install or yarn install.
- Have the correct package.json file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To build and package the project, runs one of the following commands:
- For NPM, runs the command npm install.
- For Yarn, runs the command yarn install.
Copies the artifact of your packaged project to the specified --output location.

veracode package --source path/to/project/example-javascript --output verascan --trust

Packager initiated...

Verifying source project language ...
Packaging Javascript artifacts for NPM project.
Project example-javascript packaged to path/to/veracsan/veracode-auto-pack-example-javascript-js.zip.
Successfully created 1 artifact(s).
Created Javascript artifacts for NPM project.
Total time taken to complete command: 3.296s

Kotlin

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- The correct Kotlin version for your projects.
- The Maven or Gradle package manager installed.
- A Java version that your packager manager requires.
Your projects must:
- Have the correct pom.xml, build.gradle, or build.gradle.kts file.
- Compile successfully without errors.

Example

The auto-packager completes the steps shown in the following example command output.

Verifies that your project language is supported.
Uses Gradle to builds and packages the project.
Copies the artifacts of your packaged project to the specified --output location.

veracode package --source path/to/project/kotlin-server-side-sample/gradle --output verascan --trust

Packager initiated...

Verifying source project language ...
Copying Java artifacts for GradlePackager project.
Copied artifact: path/to/verascan/demo-0.0.1-SNAPSHOT-plain.jar.
Copied artifact: path/to/verascan/demo-0.0.1-SNAPSHOT.jar.
Successfully created 2 artifact(s).
Created Java artifacts for GradlePackager project.
Total time taken to complete command: 8.632s

PHP

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- Correct PHP version for your projects.
- Composer dependency manager installed.
Your projects must:
- Have the correct PHP composer.json file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To build and package the project source code and lock file with Composer, runs the command composer install.
Saves the artifacts of your packaged project in the specified --output location.

veracode package --source path/to/project/example-php --output verascan --trust

Packager initiated...

Validating output path ...

Packaging PHP artifacts for Composer project.
Project captainhook zipped and saved to path/to/verascan/veracode-auto-pack-captainhook-php.zip.
Packaging PHP artifacts for Composer project.
Project template-integration zipped and saved to path/to/verascan/veracode-auto-pack-template-integration-php.zip.
Successfully created 2 artifact(s).
Created PHP artifacts for Composer project.
Total time taken to complete command: 3.62s

Python

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- The correct pip and Python or pyenv version for packaging your project are installed.
- A package manager configuration file with the required settings to resolve all dependencies.
Your projects must compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

To resolve all third party dependencies and generate the lock file, PIP install, runs the command pip install -r requirements.txt.
Packages the project source code, lock file, and vendor folder.
Saves the artifact of your packaged project to the specified --output location.

veracode package --source path/to/project/example-python --output verascan --trust

Packager initiated...

Verifying source project language ...
Packaging Python artifacts for PIP project.
Project example-python zipped and saved to path/to/verascan/veracode-auto-pack-example-python-python.zip.
Successfully created 1 artifact(s).
Created Python artifacts for PIP project.
Total time taken to complete command: 14.359s

Ruby on Rails

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- The Bundler package manager installed with the correct Ruby version.
- The Veracode packager gemfile installed. This gemfile handles pre-processing of Rails projects for Static Analysis.
- The ability to run the command bundle install
Your projects must compile successfully without errors.

Optionally, to test your configured environment, run the command rails server.

Example

The auto-packager completes the following steps, as shown in the example command output.

To configure the vendor path, runs the command bundle config --local path vendor.
Runs the command bundle install without development and test: bundle install --without development test.
To check for the Rails installation, runs the command bundle info rails. If Rails is not installed, the auto-packager assumes it is not a Rails project and exits.
To install the Veracode packager gem, runs the command bundle add veracode.
To package your project using the Veracode packager gem, runs the command bundle exec veracode.
Saves the artifact of your packaged project to the specified --output location.

veracode package --source path/to/project/rails --output verascan --trust

Packager initialized...

Verifying source project language ...
Packaging Ruby artifacts for RubyPackager project 'veracode-rails-20240321225855.zip'.
ArtifactPath: /rails/tmp/veracode-rails-20240321225855.zip
ValidatedSource: /rails
ValidatedOutput: /rails/verascan
Project name: rails
44824469 bytes written to destination file. Path: /rails/verascan/rails.zip

temporary zip file deleted. Path: /rails/tmp/veracode-rails-20240321225855.zip

Successfully created 1 artifact(s).
Created Ruby artifacts for RubyPackager project.
Total time taken to complete command: 1m27.428s

Scala

Requirements

Before you can run the auto-packager, you must meet the following requirements:

Your environment must have:
- A JDK version that you have tested to successfully package your application.
- The Maven, Gradle, or sbt package manager installed with the correct Java version.
Your projects must:
- Have the correct pom.xml, build.gradle, or build.sbt file.
- Compile successfully without errors.

Example

The auto-packager completes the following steps, as shown in the example command output.

Runs the sbt assembly command sbt clean assembly. This command assists in creating a JAR file with dependencies in non-Spring projects, which improves SCA scanning.
If sbt assembly fails, runs the sbt package command sbt clean package.
Copies the artifacts of your packaged application to the specified --output location.

veracode package --source path/to/project/packSample/zio-quill --output verascan --trust

Packager initiated...

Verifying source project language ...
Copying Java artifacts for SbtPackager project.
Copied artifact: path/to/verascan/quill-cassandra_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-pekko_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen-jdbc_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen-tests_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-core_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-doobie_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-engine_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-h2_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-mysql_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-oracle_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-postgres_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-sqlite_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-sqlserver_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-orientdb_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-spark_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-sql_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-sql-test_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-util_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/zio-quill-docs_2.12-4.8.2+3-d2965801-SNAPSHOT.jar.
Successfully created 28 artifact(s).
Created Java artifacts for SbtPackager project.
Total time taken to complete command: 45.428s

How auto-packaging helps developers​

How auto-packaging works​

Packaged artifacts​

Account requirements​

Supported integrations​

Integrate auto-packaging​

Supported languages​

About the examples​

.NET​

Requirements​

Example​

Go​

Requirements​

Example​

iOS​

Requirements​

Example​

Java with Gradle​

Requirements​

Example​

Java with Maven​

Requirements​

Example​

JavaScript​

Requirements​

Example​

Kotlin​

Requirements​

Example​

PHP​

Requirements​

Example​

Python​

Requirements​

Example​

Ruby on Rails​

Requirements​

Example​

Scala​

Requirements​

Example​

How auto-packaging helps developers

How auto-packaging works

Packaged artifacts

Account requirements

Supported integrations

Integrate auto-packaging

Supported languages

About the examples

.NET

Requirements

Example

Go

Requirements

Example

iOS

Requirements

Example

Java with Gradle

Requirements

Example

Java with Maven

Requirements

Example

JavaScript

Requirements

Example

Kotlin

Requirements

Example

PHP

Requirements

Example

Python

Requirements

Example

Ruby on Rails

Requirements

Example

Scala

Requirements

Example