Skip to main content

Schedule scans in GitHub

You can schedule scans for every organization in which the GitHub Workflow Integration is installed.

Configure scan schedules

Before you begin

Ensure you have:

To complete this task:

  1. In the Veracode Platform, select Repository Scan from the left menu. The Repository Scanning page opens. If you have already integrated with the Veracode Platform to view results for some of your organizations, the Repositories page displays. Select ADD SCM INTEGRATION. The Repository Scanning page displays.

  2. Select GitHub Cloud, and then select Next. The Configure Credentials page opens.

  3. Select Schedule, and then select Next. The Configure Scan Schedules section opens.

  4. For the organization for which you want to schedule scans, select the action icon. The Schedule Settings window displays.

  5. In the Schedule Settings window, provide the following configuration:

    • Enable the scan schedule using the Enable Scheduling toggle button.

    • Select either On Specific Date or On Specific Day of Week depending on when you want to schedule the scans.

      If you select On Specific Date, specify the day and the months for the scan schedule. For example, the 23rd of January and April. If you select On Specific Day of Week, select the week, the day in the week, and the months for the scan schedule. For example, the third Friday in March and June.

    • Specify the Start Time for the scan along with the Timezone.

    • In Max Concurrent Repos to Scan, enter the maximum number of repositories to run simultaneously. This helps load balancing and efficiency.

    • To apply this configuration to all the organizations in which the GitHub Workflow Integration is installed, select Apply the above configuration across all organizations.

  6. Select Save to exit the Schedule Settings window. In the Configure Scan Schedules page, see the schedule updated for the selected organization.

  7. If required, update the schedule for other organizations in the Configure Scan Schedules page using steps 4 and 5.

  8. Finally, select Apply to save and apply the updates made to the schedule for the organizations.

Disable scan schedule

You can disable the schedule for one or more organizations.

To complete this task:

  1. In the Veracode Platform, select Repository Scan from the left menu. The Repository Scanning page opens.
  2. Select GitHub Cloud, and then select Next. The Configure Credentials page opens.
  3. Select Schedule, and then select Next. The Configure Scan Schedules page opens.
  4. For the organization for which you want to disable the scan schedule, select the action icon. The Schedule Settings window displays.
  5. Disable the scan schedule using the Enable Scheduling toggle button.
  6. To disable the scan schedule for all the organizations in which the GitHub Workflow Integration is installed, select Apply the above configuration across all organizations.
  7. Select Save to exit the Schedule Settings window.
  8. Finally, select Apply to save and apply the updates.

Schedule specifications and behavior

  • You can schedule static, SCA and IaC scans.

  • When a scan runs for more than two hours, it is considered stalled and terminated to allow other repositories in the queue to be scanned.

  • As per the scan schedule, if there is an invalid day for a month, the nearest earlier day of that month is used. For example, if the day is February 30 and 31 in a leap year, Feb 29 is considered the day for the scan schedule.

  • If Max Concurrent Repos to Scan is more than the number of runners, the value provided in Max Concurrent Repos to Scan is used. For example, if Max Concurrent Repos to Scan is 20 when only 10 runners are available, 10 repositories are scanned simultaneously, while the remaining repositories are marked as pending.

  • The lowest and highest values allowed for Max Concurrent Repos to Scan are one and 999, respectively.

  • If you add a new repository to an organization, the system includes it in the same month's scan cycle if the organization has turned on a scan schedule.

  • If a scan is scheduled for a past date in the current month, scan for all the repositories in the corresponding organization is queued immediately, regardless of the date.

  • If a scan is scheduled for a future date in the current month, only the repositories that were not scanned in the current month are scanned in the future date.

  • There can be a maximum delay of up to 9 minutes from the specified start time for scans to be triggered.

  • If a scheduled scan fails for a repository, the system proceeds to scan the next repository and does not retry the failed scan. An error message is recorded for the failed scan. Repositories for which scan has failed are not scanned again in the same schedule. They are included in the next schedule.

  • The behavior of a scheduled scan is based on the configurations specified in the veracode.yml file. The following parameters determine whether a policy or pipeline scan runs, apart from SCA and IaC.

    veracode.yml parameterScan scheduled
    veracode_static_scan:
    push:
    trigger: true
    SAST pipeline scan
    analysis_on_platform: trueSAST policy scan
    veracode_sca_scan:
    push:
    trigger: true
    SCA scan
    veracode_iac_secrets_scan:
    push:
    trigger: true
    IaC scan
  • If default_branch or analysis_branch contains an invalid value, scheduled scans don't run.

  • A policy scan runs as per schedule, only if analysis_on_platform is set to true.

  • If analysis_branch is specified, the scheduled scan runs for that branch. Otherwise, it runs for default_branch.

Configure schedule scans for organizations configured via marketplace

If you installed the Veracode GitHub Workflow Integration for an organization via the marketplace and not integrated with the Veracode Platform to view results, perform an update operation to enable scheduled scans.

To complete this task:

  1. In the Veracode Platform, from the left menu, select Repository Scan. The Repository Scanning page displays.
    note

    If you have already integrated with the Veracode Platform to view results for some of your organizations, the Repositories page displays. Select ADD SCM INTEGRATION. The Repository Scanning page displays.

  2. Select GitHub Cloud, and then select NEXT. The Configure Credentials page opens.
  3. Select Update.
  4. Under GitHub Personal Access Token, enter the PAT. You don't have to provide API Keys and Secrets or SRCCLR API TOKEN. If you provide them, they will overwrite the existing credentials after you complete this update process.
  5. Select NEXT. If you installed the Veracode GitHub Workflow Integration via marketplace, the pop-up titled Marketplace Installed Organizations appears.
  6. Select the organizations for the update, and then select Confirm. The Update Organizations(s) page opens.
  7. If you had provided API Keys and Secrets or SRCCLR API TOKEN in step 5, select the organizations that you want to update the credentials for. Then, select Update. If you hadn't provided API Keys and Secrets or SRCCLR API TOKEN in step 5, do not select any organizations. Only select Update.

The selected organizations can now configure schedule scans.