Azure DevOps Workflow Integration

The Azure DevOps Workflow Integration adds Veracode Static Analysis and Software Composition Analysis (SCA) into your running Azure DevOps pipelines. It automates policy scans and pipeline scans for Static Analysis, and agent-based scans for SCA.

Use this guide to install the integration, configure Veracode scans, and view your scan results.

Getting started

To get started, install the integration from the Veracode Platform, and then create a key vault and service connection with Azure DevOps.

Install the integration

Install the integration from the Veracode Platform.

Before you begin

Before you begin, you must have:

• Enabled the integration for your Veracode account. To enable the integration, contact Veracode Technical Support.
• The Administrator or Security Lead role.
• Created an Azure DevOps personal access token (PAT) with the following access scopes:
  • Code: Read, Write and Manage
  • Extensions: Read and Manage
  • Project and Team: Read, Write and Manage

To complete this task:

1. In the Veracode Platform, select Repo Scan from the left menu.

2. Select Azure, then select Next.

3. Enter your Azure DevOps personal access token, then select Next.

4. Enter the personal access token you generated in Azure DevOps, then select Next.

5. Enter the name of the Azure DevOps organization, then select Install.

   Veracode now creates the veracode project in the Azure DevOps organization where you installed the Azure DevOps Workflow Integration.

Create a key vault

To store your credentials for Static Analysis and SCA scans, create a key vault in the Azure portal.

Before you begin

Before you begin, you must have:

• An Azure subscription.
• Installed the Azure DevOps Workflow Integration.
• Created an Azure DevOps personal access token (PAT) with the following access scopes:

  • Code: Read

  • Work Items : Read, write, & manage

    This token cannot be the token you used when you installed the integration. It must be active while using the integration, so you must create a new token when it expires.

• To run Static Analysis scans, you must have valid API credentials.
• To run SCA agent-based scans, you must have a valid SCA agent token.

To complete this task:

1. Sign in to the Azure portal.

2. Create a key vault and, in the Name field, enter the keyVaultName value from the installation.json file. This file is located in the Veracode repository within your organization.

   Veracode automatically generates a unique keyVaultName value when you install the integration.

3. Add the following secrets to the key vault:

   Secret name	Description
   UserPat	The personal access token you generated in Azure DevOps. The integration requires this access to retrieve repository details for triggering scans. It cannot be the token you used when you installed the integration. If you replace your PAT, you must update this value.
   VeracodeApiId	The ID from your Veracode API credentials.
   VeracodeApiKey	The secret key from your Veracode API credentials.
   ScaApiToken	Your token for SCA agent-based scanning.
   SrcclrApiUrl	The SCA endpoint URL for your region. For the Commercial Region, the URL is https://api.sourceclear.io. For the European region, the URL is https://platform-backend.analysiscenter.veracode.eu

Create a service connection

To allow Veracode to execute tasks in your Azure pipelines, create a service connection for your Veracode project in Azure DevOps.

Before you begin

You have installed the Azure DevOps Workflow Integration.

To complete this task:

1. Sign in to your Azure DevOps organization.
2. Open the veracode project.
3. Select Project settings > Service connections.
4. Select New service connection.
5. Select Azure Resource Manager, then select Next.
6. Select Service principal (automatic), then select Next.
7. Select the subscription associated with your key vault.
8. Select a resource group.
9. In the Service connection field, enter Veracode Service Connection.
10. Select Grant access permission to all pipelines, then select Save.
11. Select Veracode Service Connection.
12. Select the three-dot menu in the top-right corner, then select Security.
13. For pipeline permissions, if restrictions are in place, do one of the following:
    • To allow access to all pipelines in the project, select Open access.
    • To allow access to specific pipelines, select the plus icon and select the pipelines you want to access.
14. For Project permissions, add the service connection to other projects you want to scan.

Create an access policy

To grant the Veracode service connection access to your key vault, create an access policy.

Before you begin

Before you begin, you must have:

• A key vault in the Azure portal.
• Added the Veracode Service Connection to each project you want to scan.

To complete this task:

1. Sign in to your Azure DevOps organization.
2. Open the veracode project.
3. Select Project settings > Service connections.
4. Select Veracode Service Connection.
5. Select Manage Service Principal. This selection directs you to the Azure portal.
6. Copy the display name to your clipboard.
7. In the Azure portal, open the key vault you created.
8. Select Access policies.
9. Select Create.
10. For Secret permissions, select Get and List, then select Next.
11. Paste the display name that you copied earlier and select the appropriate result, then select Next.
12. Select Create.

Configure scans

Veracode scans run when your Azure Pipelines pipeline runs. In your veracode.yml file, you can configure several options to fit your organization's process, including:

• The types of scans to run
• Which branches to target
• Which Veracode security policy to apply
• Whether the scan is triggered by a push or a pull

See the full list of available configurations.

By default, your veracode.yml file is configured to trigger Static pipeline scans and SCA agent-based scans on any push to any branch.

By default, if analysis_on_platform is true, any code merges into your analysis_branch triggers policy scans, which send results to the Veracode Platform.

Specify repositories to scan

By default, the Azure DevOps Workflow Integration scans all repositories except for the veracode repository.

Exclude specific repositories

1. Open repo_list.yml in the veracode repository.
2. Under exclude_repos:, enter the list of repositories you want to exclude. Each repository name must be surrounded by single quotes. For example: 'java_Repo'

Include only specific repositories

1. Open repo_list.yml in the veracode repository.
2. Under include_repos:, enter the list of repositories you want to include. Each repository name must be surrounded by single quotes. For example: 'java_Repo'
3. If the list includes '*', delete it. If it is present, Veracode will scan all repositories that are not listed under exclude_repos:.

veracode.yml reference

The following table describes the properties in the veracode.yml file. You can change these values to configure the integration.

Value	Description	Default value
push:trigger	If true, triggers a pipeline scan when you commit changes to a branch.	true
push:branches_to_run	The branches that trigger pipeline scans when you commit changes. If '*', all branches can trigger scans.	'*'
push:branches_to_exclude	The branches that do not trigger scans. Only applies if branches_to_run is set to '*'.
pull_request:trigger	If true, triggers a scan when you perform a pull request.	true
pull_request:action	Pull request actions that trigger scans. Values are: opened, reopened, edited, synchronize, closed.	opened and synchronize
pull_request:target_branch	The target branch that triggers scans when you perform pull requests.	default_branch
analysis_branch	The branch submitted to the Veracode Platform for analysis.	default_branch
analysis_on_platform	If false, no scans are submitted to the Veracode Platform. If true, scans from the analysis_branch are submitted to the Platform using a new application profile. The name of the profile has this format: ADO/{organization}/{project}/{repository}	false
policy	The application security policy applied to your scan findings, if a policy is not already assigned to your application profile.	'Veracode Recommended Medium + SCA'
break_build_policy_findings	If true, the build breaks when findings violate the policy.	true
break_build_on_error	If true, the build breaks if the scan fails to complete in time or returns an error.	false
create_work_items	If true, creates Azure work items for Static Analysis findings.	false

Configure integration for individual repositories

Adding a veracode.yml file to individual repositories lets you overwrite specific scan settings defined in your organization's central veracode.yml file.

To overwrite the settings:

1. Add a veracode.yml file to the root of your developer's repository.

2. Add the updated configuration to the file. All veracode.yml files must include the heading and the value that you want to overwrite. For example, this veracode.yml file overwrites the break_build_policy_findings flag so that your builds break when Static Analysis findings violate policy.

   veracode_static_scan:
     break_build_policy_findings: true

Verify scans

After you configure the integration, the Trigger Veracode Scans task is available in your build pipeline. To access the complete report, select the Pipelines tab.

Reviewing results in the Veracode Platform

If you set analysis_on_platform to true, you can view scan results in the Veracode Platform.

Static Analysis scans return a list of annotations describing each static flaw and a link to the Veracode Platform where you can view a full report of your results. If an application profile for a scanned repository does not already exist in the Veracode Platform, Veracode automatically creates one using the format for the name of the profile: ADO/{organization}/{project}/{repository}.

For more information on reviewing Static Analysis findings, see Reviewing scan results.

SCA scans return a summary report of your open source security findings as well as a detailed list of libraries, vulnerabilities, and licenses. For more information about SCA findings, see Viewing agent-based scan results.