Configure Pipeline Scan settings

Configure Veracode Pipeline Scan to apply security policies, enable logging, and import scan findings into GitLab.

For all configuration settings, see the Pipeline Scan commands.

Apply security policies

You can use a Veracode security policy to evaluate the scan results from a Pipeline Scan.

You can configure a Pipeline Scan to evaluate the scan results against one of the standard or recommended security policies. To use a custom policy, you must include the --request_policy parameter in your pipeline or at the command line to retrieve the policy definition from Veracode.

Pipeline Scan performs a Static Analysis scan and supports the following policy rule types:

Findings with CWE ID
Findings in CWE Category
Findings by Severity

Pipeline Scan does not consider grace periods, required scan frequency, or evaluation time frames.

Configure logging

To obtain detailed console output during scanning, add the parameter --verbose=true to your pipeline script.

To send logging information to outputs other than the console, you can use the Apache Log4j 2 utility.

To configure logging settings, you can include a Log4j 2 configuration file with the name pipeline.scan.log4j2.properties in the execution directory of pipeline-scan.jar. The configuration file overrides the command-line options.

The following examples show a Java and XML configuration that uses Log4j 2 to:

Send verbose and debug messages to the log file pipeline-scan.log.
Send information messages to the console.

In both examples, you can turn on log for console by setting logger.file.additivity to true.

`pipeline.scan.log4j2.properties` example

      # Extra logging related to initialization of Log4j
      # Set to debug or trace if log4j initialization is failing
      status = warn

      # Name of the configuration
      name = ConsoleLogForPipelineScan

      # Define the output file, e.g. logs/pipeline-scan.log, pipeline-scan.log
      property.filename = pipeline-scan.log

      # Console appender configuration
      appender.console.type = Console
      appender.console.name = consoleLogger
      appender.console.layout.type = PatternLayout
      appender.console.layout.pattern = [%d{dd MMM yyyy HH:mm:ss,SSSS}] PIPELINE-SCAN %p: %m %n

      # File appender configuration
      appender.file.type = File
      appender.file.name = fileLogger
      appender.file.fileName = ${filename}
      appender.file.layout.type = PatternLayout
      appender.file.layout.pattern = [%d{dd MMM yyyy HH:mm:ss,SSSS}] PIPELINE-SCAN %p: %m %n

      logger.file.name=PIPELINE_SCAN
      logger.file.level = debug
      logger.file.additivity = false
      logger.file.appenderRef.file.ref = fileLogger

      rootLogger.level = info
      rootLogger.appenderRef.stdout.ref = consoleLogger

`log4j2.xml` configuration file example

Alternatively, to use a log4j2.xml configuration file like this example, you must specify the command line option -Dlog4j.configurationFile=[path-to]/log4j2.xml when running a pipeline scan:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
    <Appenders>
        <Console name="Console" target="SYSTEM_OUT">
            <PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level - %msg%n"/>
        </Console>
        <File name="File" fileName="pipeline-scan.log" append="true">
            <PatternLayout>
                <Pattern>%d{HH:mm:ss.SSS} [%t] %-5level - %msg%n</Pattern>
            </PatternLayout>
        </File>
    </Appenders>
    <Loggers>
        <Logger name="PIPELINE_SCAN" level="debug" additivity="false">
            <AppenderRef ref="File"/>
        </Logger>
        <Root level="info">
            <AppenderRef ref="Console"/>
        </Root>
    </Loggers>
</Configuration>

Import findings into GitLab

When using Pipeline Scan in GitLab pipelines, you can configure GitLab to generate issues for scan findings and import the findings to GitLab as vulnerabilities. You can use any GitLab subscription to generate GitLab issues.

This feature uses the GitLab API. You can configure it to support custom domains. To use a custom domain, set the GITLAB_URL CI/CD variable to the base URL. For example: GITLAB_URL=https://<GITLAB_URL>/api/v4/projects/. The default is https://gitlab.com/api/v4/projects/

To import findings into GitLab, complete the following tasks and configure the --gl_issue_generation and --gl_vulnerability_generation parameters.

Create a GitLab access token

Create a GitLab access token and set it as an environment variable to enable a Pipeline Scan to generate GitLab issues from discovered flaws.

To complete this task:

In Gitlab, select Edit Profile > Access Tokens > Create personal access token.
Ensure that the token has a scope of api. See the GitLab documentation.
Select Settings > CI/CD > Variables and store the token you created as an environment variable named PRIVATE_TOKEN.

Set GitLab base directories

If you are scanning Java applications, set environment variables for GitLab base directories to enable a Pipeline Scan to generate GitLab issues.

To complete this task:

In GitLab, select Settings > CI/CD > Variables.
Set the following environment variables:
- SRC_ROOT: the filepath typically is /src/main/java/.
- JSP_ROOT: the filepath typically is /src/main/webapp/.

Apply security policies​

Configure logging​

pipeline.scan.log4j2.properties example​

log4j2.xml configuration file example​

Import findings into GitLab​

Create a GitLab access token​

Set GitLab base directories​

Did you find this helpful?