About package discover

The veracode package discover command detects toolchains in your project and identifies any changes or upgrades needed to create scannable artifacts. It generates and updates the veracode.yml file with supported modules to reduce manual setup and improve scan accuracy.

Run this command before using the veracode package command to ensure your environment is ready for packaging.

To learn more about automated packaging, see About auto-packaging.

How package discover helps developers

Pre-checks packaging readiness by detecting missing toolchains or misconfigurations before packaging begins.
Improves scan accuracy by updating veracode.yml with supported modules for consistent results.
Reduces manual setup by automating detection of build files and runtime environments.
Troubleshoots faster by identifying version mismatches and required upgrades early.
Separates discovery from packaging to reduce manual intervention.
Prevents failures caused by misconfigured environments.

How package discover works

Recursively scans the specified path for build files and toolchains.
Identifies supported modules and runtime environments.
Generates or updates veracode.yml with discovered configuration.
Provides actionable feedback for missing or incompatible toolchains.

What package discover generates

When you run the veracode package discover command, it creates or updates a veracode.yml file. This file includes the following configuration details:

Build files and project root directories discovered by the command.
The type and version of the packager used.
Runtime environment information, such as SDK or Java versions.
Paths to submodules in multi-module projects.

Supported integration

You can use the veracode package discover command directly with the Veracode CLI.

Integrate package discover

Run veracode package discover as a pre-step in your build pipeline to:

Validate that your toolchains are correctly configured.
Prevent packaging failures.
Ensure accurate scan configuration.
Use --dry-run to preview changes without modifying files.
Confirm runtime environments and toolchain versions before packaging.

Supported build tools

veracode package discover currently supports:

MSBuild (.NET)
Maven

Examples

The following examples show how veracode package discover works for different languages and project types.

MSBuild (.NET)

Requirements

Requires a .NET project with .csproj or .publishproj files.

How package discover works for .NET

Recursively searches your repository for .csproj and .publishproj submodules.
Filters out any test projects.
Identifies which projects need to be built for packaging to succeed.

Command:

veracode package discover path/to/project/bobs-used-bookstore-sample

Output:

Veracode CLI v2.XX.0 -- abc12def

----- TEXT format -----
Artifact 1
Directory:        Bookstore.Cdk
Project root:     bobs-used-bookstore-sample/app/Bookstore.Cdk
Packager type:    Dotnet
Root Build file:  bobs-used-bookstore-sample/app/Bookstore.Cdk/Bookstore.Cdk.csproj
Pre-check status: Success - Ready to package

Artifact 2
Directory:        Bookstore.Web
Project root:     bobs-used-bookstore-sample/app/Bookstore.Web
Packager type:    Dotnet
Root Build file:  bobs-used-bookstore-sample/app/Bookstore.Web/Bookstore.Web.csproj
Pre-check status: Success - Ready to package

Summary

✅ 2/2 artifacts are packageable

Total time taken to complete discovery 0.03s

Metadata fields

Field	Description	Example
project_root	Directory containing the root .csproj.	eShopOnWeb/src/PublicApi
packager_manager_type	Constant value when .NET packager is detected.	dotnet
root_build_file	Root .csproj used by the packager.	eShopOnWeb/src/PublicApi/PublicApi.csproj
packager_manager_version	Version specified in .csproj or .props.	net8.0
build_file_paths	Same as root build file for .NET.	`[ "eShopOnWeb/src/PublicApi/PublicApi.csproj" ]`
runtime_environments	Reports the installed runtime versions based on project type: – For SDK-style projects: the .NET SDK versions installed on the system. – For non-SDK projects: the MSBuild or .NET Framework version installed.	`[ { "type": ".net sdk", "version": "6.0, 8.0" } ]`

Maven

Requirements

Requires a Maven project with pom.xml files.

How package discover works for Maven

Recursively searches your repository for all pom.xml submodules.
Reports the installed Java and Maven versions so you can verify compatibility.
Identifies which projects need to be built for packaging to succeed.

Command:

veracode package discover -f json path/to/project/howdy-ear

Output:

Veracode CLI v2.XX.0 -- abc12def

----- JSON format -----
{
  "howdy-ear": [
    {
      "project_root": "howdy-ear",
      "packager_manager_type": "maven",
      "root_build_file": "howdy-ear/pom.xml",
      "packager_manager_version": "3.9.11",
      "build_file_paths": [
        "howdy-ear/ear/pom.xml",
        "howdy-ear/ejb/pom.xml",
        "howdy-ear/web/pom.xml"
      ],
      "runtime_environments": [
        {
          "type": "java",
          "version": "24.0.2"
        }
      ]
    }
  ]
}
Total time taken to complete discovery 0.68s

Metadata fields

Field	Description	Example
project_root	Project root directory where the root pom.xml is present.	howdy-ear
packager_manager_type	Constant value when Maven packager is detected.	Maven
root_build_file	Root build file for Maven packager.	howdy-ear/pom.xml
packager_manager_version	Maven version installed on the system.	3.9.6
build_file_paths	Submodule `pom.xml` paths for multi-module projects.	`[ "howdy-ear/ear/pom.xml", "howdy-ear/ejb/pom.xml" ]`
runtime_environments	Installed Java versions.	`[ { "type": "java", "version": "11.0.22" } ]`

How package discover helps developers​

How package discover works​

What package discover generates​

Supported integration​

Integrate package discover​

Supported build tools​

Examples​

MSBuild (.NET)​

Maven​

Did you find this helpful?