Skip to main content

Azure DevOps YAML properties for Upload and Scan

This table describes the properties and their values for adding the Veracode Upload and Scan task to an Azure DevOps build pipeline using YAML.

PropertyTypeDescription
ConnectionDetailsSelection
Required
StringOne of these methods for connecting to Veracode:
  • Service Connection to use an existing service connection that includes your Veracode API credentials. Include AnalysisService to specify a service connection name.
  • Credentials to enter your Veracode API credentials. Include apiId to enter your API ID and apiKey to enter your API key.
veracodeAppProfile
Required
StringName of the application profile. The name is case-sensitive.
version
Required
StringName of the scan. You can enter the $buildnumber or $projectname variables to dynamically bind the build number or project name to the scan name, instead of using a fixed scan name.
filepath
Required
StringFilepath to either an application artifact or a folder containing multiple artifacts to upload to Veracode.You can also upload multiple artifacts using one or more ZIP archives. To prepare the artifacts:
  1. Add the artifacts to one or more ZIP archives.
  2. Ensure the ZIP archives are in the same upload file path location.
  3. Prepare the ZIP archives for uploading to Veracode using a separate build step or build steps in your pipeline.
For a .NET application, if you have additional published projects from a solution, include them in the archive to upload and analyze. Add any JavaScript files to a separate ZIP archive according to the packaging instructions in the packaging requirements. Include only the file types for languages and platforms that Veracode can scan in a ZIP archive to improve uploading and scan speed. Microsoft provides this Archive Files task: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/archive-files?view=azure-devops.
AnalysisServiceStringIf you set ConnectionDetailsSelection to Endpoint, the name of the service connection for accessing Veracode.
If a service connection does not exist, you can create a new service connection.
apiIdStringIf you set ConnectionDetailsSelection to Credentials, your Veracode API ID.
apiKeyStringIf you set ConnectionDetailsSelection to Credentials, your Veracode API key.
sandboxNameStringFor development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandBox to create it with the specified name.
createSandBoxBooleanFor development sandbox scans, create a sandbox for the specified Veracode application. Set to true to create a sandbox. Set to false to not create a sandbox.
optargsStringAny optional parameters from the uploadandscan API to include in the scan. For example:

'-criticality high -include *.dll -exclude *.exe -createsandbox true -sandboxname mysandbox -deleteIncompleteScan 1'

Proxy example:

'-pport 8282 -phost abc.proxy.com -puser proxyuser -ppassword proxypassword'



NOTE:
Do not enclose any of the values in single or double quotations.
createProfileBooleanCreate a Veracode application profile, if one does not exist, for the specified application profile name. Set to true to create a profile. Set to false to not create a profile.
failBuildIfUploadAndScanBuildStepFailsBooleanFail the build if the Veracode Upload and Scan build step fails to start. Set to true to fail the build. Set to false to allow the build to continue.
importResultsBooleanImport scan results into Azure DevOps after the scan completes. Set to true to import results. Set to false to not import results. You can view the results on the Veracode Scan Summary tab.
failBuildOnPolicyFailBooleanFail the build if the scan results indicate that the application has failed your security policy. Set to true to fail the build. Set to false to not fail the build.
maximumWaitTimeIntegerBuild agent wait time, in minutes, to fail the build if no scan results are available. The value range is 30 to 1440 (24 hours) and the default is 360 (6 hours). If you enter a value outside this range, the build fails.