Skip to main content

Integrate agent-based scanning with Atlassian Bamboo

You can set the Veracode Software Composition Analysis (SCA) agent-based scanning API token environment variable on an individual plan basis or globally within your Bamboo environment. You can also set the environment variable when you create the script command in your Bamboo task instead of setting it at the plan or global levels.

Requirements

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and Fixing Vulnerabilities.

Create an authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, see invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Atlassian Bamboo.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Create a global variable

To complete this task:

  1. Sign in to the Bamboo web interface and go to your Bamboo environment.
  2. To open the Global Variables page, select the settings gear from the top-right corner, then select Global Variables.
  3. For Variable Name, enter SRCCLR_API_TOKEN_PASSWORD. Appending PASSWORD to the variable name prevents the value from being exposed.
  4. For Value, paste the API token you copied when you created the token.
  5. Select Add.

Create a plan variable

To complete this task:

  1. In Bamboo, select Dashboard > All Plans.
  2. Select the plan you want to edit.
  3. Select Actions > Configure Plan.
  4. Select Variables.
  5. For Variable name, enter SRCCLR_API_TOKEN_PASSWORD.
  6. For Value, paste the API token you copied when you created the token.
  7. To save and set the plan variable, select Add.

Configure your Bamboo repository

Because Bamboo is an on-premise CI system, you must install cURL on your server before you can run a Veracode Software Composition Analysis (SCA) agent-based scan.

You can install cURL using SSH access to your server. After installing the CLI tool, you also need the path to the executable in order to allow Bamboo to run commands. To get the path, access the server via SSH and run the command which curl. This command outputs the path to the curl binary for later use.

To complete this task:

  1. In Bamboo, navigate to the plan where you want to add agent-based scanning.
  2. Select Actions > Configure Plan.
  3. Select the job that builds your code.
  4. In the Tasks section, select Add Task > Script.
  5. Edit the following fields: a. For Task Description, enter Veracode Agent-Based Scan. b. Ensure that Interpreter is set to Shell. c. Ensure that Script location is set to Inline. d. For Script body, enter curl -sSL https://sca-downloads.veracode.com/ci.sh | sh. e. Ensure that Argument is blank. f. For Environment variables:
    • If you did not set the SRCCLR_API_TOKEN_PASSWORD at the global or plan levels, enter SRCCLR_API_TOKEN={token}.
    • If you set the token at the global level, enter export SRCCLR_API_TOKEN=${bamboo.SRCCLR_API_TOKEN_PASSWORD}. g. Ensure that Working subdirectory is blank. If the project configuration file, such as package.json, pom.xml, build.gradle, or requirements.txt, is in a subdirectory, enter the path to the subdirectory.
  6. Select Save.
  7. To prevent unnecessary scan attempts if the build fails, drag the agent-based scan command to the bottom of the task list directly above the final tasks section.

Results:

The next time you build this plan, Veracode SCA runs an agent-based scan.