Skip to main content

Pipeline Scan example for an ASP.NET application in Azure DevOps

This example YAML code shows how to add a Pipeline Scan as a build stage in an Azure DevOps build pipeline for an ASP.NET application on Windows.

The example includes a script that downloads and unzips pipeline-scan-LATEST.zip, to ensure you have the latest version, then runs pipeline-scan.jar using your API credentials. For improved stability, Veracode recommends that you change the script to use the Pipeline Scan Docker image.

trigger:
- main

pool:
vmImage: "windows-latest"

variables:
solution: "**/*.sln"
buildPlatform: "Any CPU"
buildConfiguration: "Release"

steps:
- task: NuGetToolInstaller@1

- task: NuGetCommand@2
inputs:
restoreSolution: "$(solution)"

- task: VSBuild@1
inputs:
solution: "$(solution)"
msbuildArgs: '/p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /p:SkipInvalidConfigurations=true /p:PackageLocation="$(build.artifactStagingDirectory)"'
platform: "$(buildPlatform)"
configuration: "$(buildConfiguration)"

- task: CmdLine@2
displayName: Veracode Pipeline Scan
inputs:
script: |
curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
unzip -o pipeline-scan-LATEST.zip
java -jar pipeline-scan.jar -vid $(VERACODE_API_ID) -vkey $(VERACODE_API_KEY) -f $(build.artifactstagingdirectory)\Verademo-dotnet.zip || true
# VERACODE_API_ID and VERACODE_API_KEY environment variables must reference your API credentials.
# "|| true" specifies to continue build if Pipeline Scan discovers flaws.
# To fail the build for new flaws not listed in a baseline file, add an existing baseline file with "-bf <baseline filename>" and remove "|| true".

- task: PublishBuildArtifacts@1
displayName: Create Build Artifact for Veracode Pipeline Scan Results
inputs:
PathtoPublish: "results.json"
ArtifactName: "Build"
publishLocation: "Container"