Example code for Jenkins
You can add Veracode Pipeline Scan as a job in a Jenkins declarative pipeline. You configure a Jenkins pipeline with a Jenkins file that defines stages of running the pipeline. You can use the Groovy code examples in this section to configure a Jenkins build job for building a project and running a Pipeline Scan as a stage in the pipeline.
The Pipeline Scan code examples include variables for your Veracode API credentials. Ensure these variables correctly reference your API ID and key stored in your CI/CD code repository.
Veracode provides these packaged applications on GitHub: VeraDemoDotNet and VeraDemo. You can use these applications for testing, debugging, or for demos if you do not have an application that meets the packaging requirements for a specific scan type. You can download these applications or connect them to a CI/CD code repository.
Add scanning to a Gradle build stage
This example Groovy code shows how to add a Pipeline Scan as a build stage in a Jenkins build pipeline that uses Gradle.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
pipeline {
agent { label <'any-with-jdk8-gradle-curl-unzip'> }
stages {
stage('Gradle Build') {
steps {
sh 'gradle clean build'
}
}
stage('Veracode Pipeline Scan') {
steps {
sh 'curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip'
sh 'unzip pipeline-scan-LATEST.zip pipeline-scan.jar'
sh 'java -jar pipeline-scan.jar \
--veracode_api_id "${VERACODE_API_ID}" \
--veracode_api_key "${VERACODE_API_SECRET}" \
--file "build/libs/sample.jar" \
--fail_on_severity="Very High, High" \
--fail_on_cwe="80" \
--baseline_file "${CI_BASELINE_PATH}" \
--timeout "${CI_TIMEOUT}" \
--project_name "${env.JOB_NAME}" \
--project_url "${env.GIT_URL}" \
--project_ref "${env.GIT_COMMIT}"'
}
}
}
post {
always {
archiveArtifacts artifacts: 'results.json', fingerprint: true
}
}
}
Add scanning to a Maven build stage
This example Groovy code shows how to add a Pipeline Scan as a build stage in a Jenkins build pipeline that uses Maven.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
pipeline {
agent { label <'any-with-jdk8-maven-curl-unzip'> }
stages {
stage('Maven Build') {
steps {
sh 'maven clean verify'
}
}
stage('Veracode Pipeline Scan') {
steps {
sh 'curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip'
sh 'unzip pipeline-scan-LATEST.zip pipeline-scan.jar'
sh 'java -jar pipeline-scan.jar \
--veracode_api_id "${VERACODE_API_ID}" \
--veracode_api_key "${VERACODE_API_SECRET}" \
--file "build/libs/sample.jar" \
--fail_on_severity="Very High, High" \
--fail_on_cwe="80" \
--baseline_file "${CI_BASELINE_PATH}" \
--timeout "${CI_TIMEOUT}" \
--project_name "${env.JOB_NAME}" \
--project_url "${env.GIT_URL}" \
--project_ref "${env.GIT_COMMIT}"'
}
}
}
post {
always {
archiveArtifacts artifacts: 'results.json', fingerprint: true
}
}
}
Scan with a baseline file
This example Groovy code shows how you can add a Pipeline Scan that uses a baseline file to a Jenkins build pipeline.
The Pipeline Scan evaluates only flaws that differ from those stored in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application. The Pipeline Scan uses a single pipeline for the build and security scan, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the Pipeline Scan as its own pipeline that another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.
pipeline {
agent { label <'any-with-jdk8-maven-curl-unzip'> }
stages {
stage('Clone Repo') {
steps {
git url: "$GIT_URL", branch: "$GIT_BRANCH", credentialsId: 'ae020d0c-c99b-4a6c-9663-7a2e0290648c'
}
}
stage('Gradle Build') {
steps {
sh './gradlew clean build'
}
}
stage('Veracode Pipeline Scan') {
steps {
// Copy baseline from previous build
copyArtifacts(projectName: "$JOB_NAME", selector: lastSuccessful(stable: true), filter: 'baseline.json', target: '.', optional: true)
script {
ref = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
baseline = ''
if (fileExists('baseline.json')) {
baseline = '--baseline_file baseline.json'
}
}
// Download and submit Pipeline Scan
sh 'curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip'
sh 'unzip pipeline-scan-LATEST.zip pipeline-scan.jar'
sh """
java -jar pipeline-scan.jar \
--veracode_api_id "${env.VERACODE_API_KEY_ID}" \
--veracode_api_key "${env.VERACODE_API_KEY_SECRET}" \
--jf results.json \
--timeout "$timeout" \
--file "build/libs/sample.jar" \
--project_name "$JOB_NAME" \
--project_url "$GIT_URL" \
--project_ref "$ref"
$baseline
"""
}
}
stage('Store Baseline') {
steps {
script {
try {
input(message: 'Store results as baseline for future scans?', ok: 'Yes')
sh 'cp baseline.json build-baseline.json'
sh 'cp results.json baseline.json'
} catch (err) {
}
}
}
}
}
post {
always {
archiveArtifacts artifacts: "*.json", fingerprint: true, allowEmptyArchive: true
deleteDir()
}
}
}