Skip to main content

Example code for Azure DevOps

You can add Veracode Pipeline Scan as a job in an Azure DevOps pipeline. You can use the YAML code examples in this section to configure Azure DevOps pipelines for building a project and running the Pipeline Scan as a stage in the pipeline.

The Pipeline Scan code examples include variables for your API credentials. Ensure these variables correctly reference your API ID and key stored in your CI/CD code repository.

Veracode provides these packaged applications on GitHub: VeraDemoDotNet and VeraDemo. You can use these applications for testing, debugging, or for demos if you do not have an application that meets the packaging requirements for a specific scan type. You can download these applications or connect them to a CI/CD code repository.

Scan an ASP.NET application

This example YAML code shows how to add a Pipeline Scan as a build stage in an Azure DevOps build pipeline for an ASP.NET application on Windows.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change the script to use the Pipeline Scan Docker image.

trigger:
  - main

pool:
  vmImage: "windows-latest"

variables:
  solution: "**/*.sln"
  buildPlatform: "Any CPU"
  buildConfiguration: "Release"

steps:
  - task: NuGetToolInstaller@1

  - task: NuGetCommand@2
    inputs:
      restoreSolution: "$(solution)"

  - task: VSBuild@1
    inputs:
      solution: "$(solution)"
      msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:PackageLocation="$(build.artifactStagingDirectory)"'
      platform: "$(buildPlatform)"
      configuration: "$(buildConfiguration)"

  - task: CmdLine@2
    displayName: Veracode Pipeline Scan
    inputs:
      script: |
        curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        unzip -o pipeline-scan-LATEST.zip
        java -jar pipeline-scan.jar -vid $(VERACODE_API_ID) -vkey $(VERACODE_API_KEY) -f $(build.artifactstagingdirectory)\Verademo-dotnet.zip || true
      # VERACODE_API_ID and VERACODE_API_KEY environment variables must reference your API credentials.
      # "|| true" specifies to continue build if Pipeline Scan discovers flaws.
      # To fail the build for new flaws not listed in a baseline file, add an existing baseline file with "-bf <baseline filename>" and remove "|| true".

  - task: PublishBuildArtifacts@1
    displayName: Create Build Artifact for Veracode Pipeline Scan Results
    inputs:
      PathtoPublish: "results.json"
      ArtifactName: "Build"
      publishLocation: "Container"

Add scanning to a Gradle build stage

This example YAML code shows how to add a Pipeline Scan as a build stage in an Azure DevOps build pipeline that uses Gradle.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: Gradle@2
  inputs:
    workingDirectory: ''
    gradleWrapperFile: 'gradlew'
    gradleOptions: '-Xmx3072m'
    javaHomeOption: 'JDKVersion'
    jdkVersionOption: '1.8'
    jdkArchitectureOption: 'x64'
    publishJUnitResults: true
    testResultsFiles: '**/TEST-*.xml'
    tasks: 'build'
- script: |
    curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
  displayName: 'Download Pipeline Scanner'
- task: ExtractFiles@1
  inputs:
    archiveFilePatterns: 'pipeline-scan-LATEST.zip'
    destinationFolder: 'pipeline'
    cleanDestinationFolder: false
- script: |
      java -jar pipeline\pipeline-scan.jar --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --fail_on_severity="Very High, High" --fail_on_cwe="80"
  env:
    VERACODE_API_ID: $(VERACODE_API_ID)
    VERACODE_API_KEY: $(VERACODE_API_KEY)
  displayName: 'Run Pipeline Scan'

Add scanning to a Maven build stage

This example YAML code shows how to add a Pipeline Scan as a build stage in an Azure DevOps build pipeline that uses Maven on Unix.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.

trigger:
  - master
pool:
  vmImage: "ubuntu-latest"
steps:
  - task: Maven@3
    displayName: Build with Maven
    inputs:
      mavenPomFile: "app/pom.xml"
      mavenOptions: "-Xmx3072m"
      javaHomeOption: "JDKVersion"
      jdkVersionOption: "1.8"
      jdkArchitectureOption: "x64"
      publishJUnitResults: true
      testResultsFiles: "**/surefire-reports/TEST-*.xml"
      goals: "package"
  - task: Bash@3
    displayName: Veracode Pipeline Scan
    inputs:
      targetType: "inline"
      script: |
        curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        unzip -o pipeline-scan-LATEST.zip
        java -jar pipeline-scan.jar -vid $(VERACODE_API_ID) -vkey $(VERACODE_API_KEY) -f /home/vsts/work/1/s/app/target/verademo.war || true
      # VERACODE_API_ID and VERACODE_API_KEY environment variables must reference your API credentials.
      # "|| true" specifies to continue build if Pipeline Scan discovers flaws.
      # To fail the build for new flaws not listed in a baseline file, add an existing baseline file with "-bf <baseline filename>" and remove "|| true".
  - publish: $(System.DefaultWorkingDirectory)/results.json # Save the scan results as a file named results.json.
    artifact: VeracodeBaseline

Create and apply a baseline file

This YAML code example shows how to generate and use a baseline file in an Azure DevOps build pipeline.

The Pipeline Scan evaluates only flaws that differ from those stored in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application. The Pipeline Scan uses a single pipeline for the build and security scan, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the Pipeline Scan as its own pipeline that another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.

Create a baseline file

trigger:
  - master
pool:
  vmImage: "ubuntu-latest"
steps:
  - task: Gradle@2
    inputs:
      workingDirectory: ""
      gradleWrapperFile: "gradlew"
      gradleOptions: "-Xmx3072m"
      javaHomeOption: "JDKVersion"
      jdkVersionOption: "1.8"
      jdkArchitectureOption: "x64"
      publishJUnitResults: true
      testResultsFiles: "**/TEST-*.xml"
      tasks: "build"
  - script: |
      curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    displayName: "Download Pipeline Scan"
  - task: ExtractFiles@1
    inputs:
      archiveFilePatterns: "pipeline-scan-LATEST.zip"
      destinationFolder: "pipeline"
      cleanDestinationFolder: false
  - script: |
      java -jar pipeline\pipeline-scan.jar --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --json_output_file="baseline.json" || true
      # Pipeline Scan command. VERACODE_API_ID and VERACODE_API_KEY must reference your API credentials.
      # "--json_output_file" saves scan results as a JSON file that you can use as a baseline file.
    env:
      VERACODE_API_ID: $(VERACODE_API_ID)
      VERACODE_API_KEY: $(VERACODE_API_KEY)
    displayName: "Run Pipeline Scan"
  - publish: $(System.DefaultWorkingDirectory)/baseline.json
    artifact: baseline

Apply a baseline file

The following code applies a baseline file and fails the build when new flaws are found during scanning.

trigger:
  - master
pool:
  vmImage: "ubuntu-latest"
steps:
  - script: |
      curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    displayName: "Download Pipeline Scan"
  - task: ExtractFiles@1
    inputs:
      archiveFilePatterns: "pipeline-scan-LATEST.zip"
      destinationFolder: "pipeline"
      cleanDestinationFolder: false
  - task: DownloadPipelineArtifact@2
    inputs:
      source: specific
      project: "test"
      pipeline: 2
      artifact: baseline
  - script: |
      java -jar pipeline\pipeline-scan.jar --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --baseline_file "../baseline.json"
      # VERACODE_API_ID and VERACODE_API_KEY must reference your API credentials.
      # "--baseline_file" specifies the baseline of known flaws for the specified application file.
      # This example command breaks the build for new flaws not listed in the specified baseline file.
    env:
      VERACODE_API_ID: $(VERACODE_API_ID)
      VERACODE_API_KEY: $(VERACODE_API_KEY)
    displayName: "Run Pipeline Scan"
Last updated on