Integrate agents with Codeship

You can create a Veracode SCA agent that scans your repositories as an automated task in your CodeShip pipelines.

Prerequisites

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select Agent-Based Scan.
3. Select a workspace.
4. Select Agents > Actions > Create > Codeship.
5. Select Create Agent & Generate Token.
6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your repos

To complete this task:

1. In Codeship, go to the project you want to scan.

2. Select Project Settings > Testing.

3. In the test pipelines commands, enter the following code after your build commands:

   curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

4. Commit these changes to trigger a build for your repository.

Results:

Veracode SCA performs a scan and displays results to your environment.

Next steps:

If you want to scan other repositories, add the installation and scan code above to any test pipelines you want. After you add the SRCCLR_API_TOKEN environment variable, you can perform scans on each new build.

Configure your project

Before you begin:

Generate an Advanced Encryption Standard (AES) key and place the key in a codeship.aes file in the root of your project directory. Read additional documentation on generating an AES key.

To complete this task:

1. Edit the text file containing your environment variables, which you encrypt prior to committing your code.

2. Add the SRCCLR_API_TOKEN to the file and set it to the authentication token you generated above.

3. Save the environment variable file.

4. Encrypt the environment variables using Jet CLI. A file is generated, called env.encrypted in this example, with the encrypted environment variables jet encrypt env env.encrypted

5. Before you commit your code, add the env file to your .gitignore, or delete the file after you create it.

6. Edit the codeship-services.yml file, and use the encrypted_env_file directive to add your encrypted environment variables from the env.encrypted file to your build process:

   app: build: image: myorg/appname dockerfile_path: Dockerfile encrypted_env_file: env.encrypted 

7. To scan in your project, edit the codeship-steps.yml file and add this step after your build step:

   - name: sourceclear
     service: app
     command:  sh -c "curl -sSL https://sca-downloads.veracode.com/ci.sh | sh”

8. Commit the changes to your repository.

Results:

The next time you run your build through Codeship Pro, Veracode SCA performs an agent-based scan of your repository. For details on configuring your Codeship Pro project, see the Codeship Pro documentation.