Skip to main content

Pipeline Scan example for using GitLab and Gradle with automatic vulnerability generation

This example YAML code shows how to add a Pipeline Scan and automatic vulnerability generation as a build stage in a GitLab build pipeline using Gradle. Automatic vulnerability generation requires a GitLab Premium or Ultimate license.

note

Before you can use the --gl_issue_generation parameter, you must create a GitLab access token. If you want to use this parameter when scanning Java applications, you must also configure environment variables to set GitLab base directories. You can use any GitLab subscription to generate GitLab issues.

This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, Veracode recommends that you change these scripts to use the Pipeline Scan Docker image.

image: <image-with-above-requirements>

stages:
- build
- scan

build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build

pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true