Skip to main content

Integrate agents with Jenkins/Hudson (Shell)

You can create a Veracode SCA agent that scans your repositories as an automated task in your Jenkins pipeline.

The Veracode Jenkins Plugin automates the upload and scan tasks of your Jenkins build pipeline and returns Veracode SCA findings as part of a Veracode Static Analysis.

Prerequisites

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.

Install the Credentials Binding Plugin

To integrate Veracode Software Composition Analysis with Jenkins securely, install the Credentials Binding Plugin for binding your API token to the environment variable for the Veracode SCA API token.

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Jenkins/Hudson.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Bind your Jenkins environment variable

To complete this task:

  1. In Jenkins, go to Credentials > Jenkins > Global credentials > Add credentials.
  2. From the Kind dropdown list, select Secret text.
  3. From the Scope dropdown list, select Global.
  4. In the Secret field, enter your Veracode SCA API token.
  5. In the ID field, enter SRCCLR_API_TOKEN.
  6. Select OK.

Configure your Jenkins job for scanning

To complete this task:

  1. In Jenkins, select the job you want to scan.

  2. Select Configure.

  3. Select Build Environment.

  4. Select Use secret text(s) or file(s).

  5. Under Bindings, select Add > Secret text.

  6. For Variable, enter SRCCLR_API_TOKEN.

  7. Select SRCCLR_API_TOKEN.

  8. In the build section, select Add build step > Execute shell. You can include the shell as a pre- or post-build step.

  9. Add this command to the shell command box:

    curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

  10. Save your build.

Results:

The next time your job runs, Veracode SCA scans your code.

Last updated on