Pipeline Scan Example for GitLab and Gradle with Automatic Vulnerability Generation Using a Custom Policy
These code examples show how to download a custom policy and use it in a GitLab pipeline with Gradle and automatic vulnerability generation.
To download a policy locally to use later in the pipeline, use the --request_policy
parameter as shown in this example:
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--request_policy="Custom Policy"
Pipeline Scan automatically names the locally-generated policy file using the format <policy name>.json
, replacing any spaces with underscores. In this example, the resulting file is named Custom_Policy.json
. You should place this file in a location accessible to the pipeline for its subsequent use. Use the --policy_file
parameter to specify the local custom policy for vulnerability filtering:
image: <image-with-above-requirements>
stages:
- build
- scan
build_job:
stage: build
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
paths:
- build/
expire_in: 1 week
script: gradle clean build
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--policy_file="Custom_Policy.json"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true