Example code for GitLab
You can add Veracode Pipeline Scan as a job in a GitLab pipeline. You can use the YAML code examples in this section to configure GitLab pipeline jobs for building a project and running a Pipeline Scan as a stage in the pipeline.
The Pipeline Scan code examples include variables for your API credentials. Ensure these variables correctly reference your API ID and key stored in your CI/CD code repository.
Before you can use the --gl_issue_generation parameter, you must configure GitLab to import findings as issues.
Add scanning to a Gradle build stage
This example YAML code shows how to add a Pipeline Scan as a build stage in a GitLab Actions build pipeline using Gradle.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
Add scanning to a Gradle build stage and generate issues for findings
This example YAML code shows how to add a Pipeline Scan and automatic issue generation as a build stage in a GitLab build pipeline using Gradle.
This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_issue_generation true
Add scanning to a Gradle build stage and import findings as vulnerabilities
This example YAML code shows how to add a Pipeline Scan and automatic vulnerability generation as a build stage in a GitLab build pipeline using Gradle. Automatic vulnerability generation requires a GitLab Premium or Ultimate license.
This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true
Add scanning to a Gradle build stage, apply a built-in policy, and import vulnerabilities
This YAML code example shows how to add a Pipeline Scan to GitLab with Gradle using a built-in security policy and automatic vulnerability generation.
To evaluate Pipeline Scan results against one of the built-in policies in the Veracode Platform, enter the policy name using the --policy_name parameter. This parameter replaces the --fail_on_severity and --fail_on_cwe parameters.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--policy_name="Veracode Recommended Very High"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true
Add scanning to a Gradle build stage, apply a custom policy, and import vulnerabilities
These code examples show how to download a custom security policy and use it in a GitLab pipeline with Gradle and automatic vulnerability generation.
To download a policy locally to use later in the pipeline, use the --request_policy parameter as shown in this example:
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--request_policy="Custom Policy"
Pipeline Scan automatically names the locally-generated policy file using the format <policy name>.json, replacing any spaces with underscores. In this example, the resulting file is named Custom_Policy.json. You should place this file in a location accessible to the pipeline for its subsequent use. Use the --policy_file parameter to specify the local custom policy for vulnerability filtering:
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--policy_file="Custom_Policy.json"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true
Add scanning to a Maven build stage
This example YAML code shows how to add a Pipeline Scan as a build stage in a GitLab Actions build pipeline using Maven.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
script:
- mvn clean verify
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
Scan with a baseline file
This YAML code example shows how to generate, store, and use a baseline file in a GitLab build pipeline.
The Pipeline Scan evaluates only flaws that differ from those stored in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application. The Pipeline Scan uses a single pipeline for the build and security scan, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the Pipeline Scan as its own pipeline that another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
- store
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
Scan:
stage: scan
only:
- master
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- baseline.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--json_output_file="baseline.json"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
Store Baseline:
# Job will only run on master, if requested.
# Will restore the above baseline artifact so it can be pulled down in other stages
stage: store
before_script:
only:
- master
when: manual
script:
- echo "Storing results.json as baseline.json"
artifacts:
name: baseline
paths:
- baseline.json # If you want to keep this longer than the GitLab default - press store in the web UI
Baseline Scan:
# Job will run anywhere, except master. Will pull the baseline file and use it in the scan, if available
dependencies:
- Scan
except:
- master
stage: scan
script:
- git clean -dfx
- "curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip"
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- '[[ ! -f baseline.json ]] && curl --location "$CI_PROJECT_URL/-/jobs/artifacts/$CI_COMMIT_REF_NAME/raw/baseline.json?job=Store%20Baseline" -o baseline.json'
- java -jar pipeline-scan.jar --veracode_api_id "${VERACODE_KEY}" --veracode_api_key "${VERACODE_SECRET}" --file "<file_to_scan>" --project_name "${CI_PROJECT_PATH}" --project_url "${CI_PROJECT_URL}" --project_ref "${CI_COMMIT_REF_NAME}" --baseline_file baseline.json -jf results.json