Pipeline Scan example for GitLab and Gradle with automatic vulnerability generation using a custom policy
These code examples show how to download a custom policy and use it in a GitLab pipeline with Gradle and automatic vulnerability generation.
To download a policy locally to use later in the pipeline, use the --request_policy
parameter as shown in this example:
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--request_policy="Custom Policy"
Pipeline Scan automatically names the locally-generated policy file using the format <policy name>.json
, replacing any spaces with underscores. In this example, the resulting file is named Custom_Policy.json
. You should place this file in a location accessible to the pipeline for its subsequent use. Use the --policy_file
parameter to specify the local custom policy for vulnerability filtering:
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip
, to ensure you have the latest version, then runs pipeline-scan.jar
using your API credentials. For improved stability, Veracode recommends that you change these scripts to use the Pipeline Scan Docker image.
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--policy_file="Custom_Policy.json"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true