Azure DevOps YAML Properties for Upload and Scan

Build and Release Management

This table describes the properties and their values for adding the Veracode Upload and Scan task to an Azure DevOps or Team Foundation Server (TFS) build pipeline using YAML.

Property Type Description
ConnectionDetailsSelection
Required
String One of these methods for connecting to Veracode:
  • Endpoint to use an existing service connection that includes your Veracode API credentials. Include AnalysisService to specify a service connection name.
  • Credentials to enter your Veracode API credentials. Include apiId to enter your API ID and apiKey to enter your API key.
veracodeAppProfile
Required
String Name of the Veracode application profile. The name is case-sensitive.
version
Required
String Name of the scan. You can enter the $buildnumber or $projectname variables to dynamically bind the build number or project name to the scan name, instead of using a fixed scan name.
filepath
Required
String Filepath to either an application artifact or a folder containing multiple artifacts to upload to Veracode.You can also upload multiple artifacts using one or more ZIP archives. To prepare the artifacts:
  1. Add the artifacts to one or more ZIP archives.
  2. Ensure the ZIP archives are in the same upload file path location.
  3. Prepare the ZIP archives for uploading to Veracode using a separate build step or build steps in your pipeline.
For a .NET application, if you have additional published projects from a solution, include them in the archive to upload and analyze. Add any JavaScript files to a separate ZIP archive according to the packaging instructions in the Veracode Packaging Requirements. Include only the file types for languages and platforms that Veracode can scan in a ZIP archive to improve uploading and scan speed. Microsoft provides this Archive Files task: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/archive-files?view=azure-devops.
AnalysisService String If you set ConnectionDetailsSelection to Endpoint, the name of the service connection for accessing Veracode.
If a service connection does not exist, you can create a new service connection.
apiId String If you set ConnectionDetailsSelection to Credentials, your Veracode API ID.
apiKey String If you set ConnectionDetailsSelection to Credentials, your Veracode API key.
sandboxName String For development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandBox to create it with the specified name.
createSandBox Boolean For development sandbox scans, create a sandbox for the specified Veracode application. Set to true to create a sandbox. Set to false to not create a sandbox.
optargs String Any optional parameters from the uploadandscan API to include in the scan. For example:

-include mymodule1.jar,mymodule2.jar,*.js -createsandbox true -sandboxname mysandbox

Note: Do not enclose any of the values in single or double quotations.

createProfile Boolean Create a Veracode application profile, if one does not exist, for the specified application profile name. Set to true to create a profile. Set to false to not create a profile.
failBuildIfUploadAndScanBuildStepFails Boolean Fail the build if the Veracode Upload and Scan build step fails to start. Set to true to fail the build. Set to false to allow the build to continue.
importResults Boolean Import scan results into Azure DevOps after the scan completes. Set to true to import results. Set to false to not import results. You can view the results on the Veracode Scan Summary tab.
failBuildOnPolicyFail Boolean Fail the build if the scan results indicate that the application has failed your security policy. Set to true to fail the build. Set to false to not fail the build.
maximumWaitTime Integer Build agent wait time, in minutes, to fail the build if no scan results are available. The value range is 30 to 1440 (24 hours) and the default is 360 (6 hours). If you enter a value outside this range, the build fails.