Skip to main content

Use YAML to add Static Analysis to Azure DevOps pipelines

You can use YAML to add the Veracode Azure DevOps Extension and integrate Veracode Static Analysis into your Azure DevOps build pipelines.

Before you begin:

  • Before uploading an application, you must package it to include the required debug symbols, as described in the packaging requirements.

  • Generated Veracode API credentials. If your credentials contain variables, you must start each variable with a $ and wrap the variable value in parentheses. For example, you enter the id variable as $(Id).

  • The extension uses the variable names VERACODE_API_KEY_ID and VERACODE_API_KEY_SECRET for the API credentials. If you use custom variables in your pipelines, ensure that none of your variable names conflict with these variable names for the API credentials.

  • If you want to upload multiple artifacts for scanning, you have prepared one or more ZIP archives:

    a. Add the artifacts to one or more ZIP archives.

    b. Ensure the ZIP archives are in the same upload file path location.

    c. Prepare the ZIP archives for uploading to Veracode using a separate build step or build steps in your pipeline.

If you have an ASP.NET application, see Configure an Azure DevOps build for ASP.NET applications.

To complete this task:

  1. In your Azure DevOps project, navigate to the YAML file for the pipeline in which to add the Veracode task.

  2. Select Show assistant.

  3. Search for veracode, then select the Veracode Upload and Scan task.

  4. In the Veracode Upload and Scan window, in the Connection Details section, select a connection source for connecting to Veracode:

    • Service Connection: select an existing service connection that uses your Veracode API credentials or create a new service connection.
    • Credentials: enter your Veracode API credentials.
  5. In the Veracode Scan Settings section, enter the name of the associated application profile, a unique scan name, and the filepath to either the application artifact or the folder containing the artifacts to upload to Veracode.

    For a .NET application, if you have additional published projects from a solution, include them in the archive to upload and analyze. Add any JavaScript files to a separate ZIP archive according to the packaging instructions in the packaging requirements. Include only the file types for languages and platforms that Veracode can scan in a ZIP archive to improve uploading and scan speed. See the Microsoft Archive Files task.

    If this is not an existing Veracode application, select the Create Application Profile checkbox in the Advanced Scan Settings section to have Veracode create an application profile.

    note

    Application names in Azure DevOps are case-sensitive.

  6. In the Advanced Scan Settings section, if you are using a development sandbox, enter a sandbox name or select Create Sandbox to create one.

    In the Optional Arguments field, enter any optional parameters to apply to the Upload and Scan action. For example, you can use the optional parameters to include and exclude files during the scan.

    The following example specifies to include all DLL files, exclude all EXE files, scan in a sandbox named mysandbox, which Veracode creates if the sandbox does not already exist, and to delete a scan with a status of incomplete, no modules defined, failed, or cancelled:

    -include *.dll -exclude *.exe -createsandbox true -sandboxname mysandbox -deleteIncompleteScan 1
    note

    Do not enclose any of the values in single or double quotations.

    You can hide a proxy password during the Upload and Scan action.

    If the application profile does not exist, select the Create Application Profile checkbox to create it. You can select the Fail build if Upload and Scan build step fails checkbox to prevent the build from continuing if the Upload and Scan build step fails.

  7. In the Veracode Scan Results section, select the Import Results upon Scan Completion checkbox to import the scan results. You can select the option under it to stop the build if the scan results indicate that the application has failed your security policy.

    Selecting either checkbox reserves an assigned build agent to wait until the scan has completed successfully and the scan results are available. With one or both checkboxes selected, you can enter the build agent wait time, in minutes, for failing the build if no scan results are available. The value range is 30 to 1440 (24 hours) and the default is 360 (6 hours). If you enter a value outside this range, the build fails.

    If neither checkbox is selected, the build agent uploads the binaries to Veracode and continues to the next build task in the task list.

  8. Select Add to add the Upload and Scan task to the YAML file in your build pipeline.

    This example shows a YAML file for building and scanning a .NET application. It specifies to access Veracode using a service connection. For descriptions of all YAML properties for the Upload and Scan task, see Azure DevOps YAML properties for Upload and Scan.

    # .NET Desktop
    # Build and run tests for .NET Desktop or Windows classic desktop solutions.
    # Add steps that publish symbols, save build artifacts, and more:
    # https://docs.microsoft.com/azure/devops/pipelines/apps/windows/dot-net

    trigger:
    - master

    pool:
    vmImage: 'windows-latest'

    variables:
    solution: '**/*.sln'
    buildPlatform: 'Any CPU'
    buildConfiguration: 'Debug' # required as part of Veracode packaging for task: VSBuild@1

    steps:
    - task: NuGetToolInstaller@1

    - task: NuGetCommand@2
    inputs:
    restoreSolution: '$(solution)'

    - task: VSBuild@1
    inputs:
    solution: '$(solution)'
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

    - task: VSTest@2
    inputs:
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

    - task: DownloadPipelineArtifact@2
    inputs:
    patterns: '**/*.exe,**/*.dll,**/*.pdb' # ensures Veracode gets the PDB files for Static Analyisis

    # This task makes the pipeline build artifacts available in a known location for upload to Veracode
    - task: PublishPipelineArtifact@1
    inputs:
    targetPath: $(System.DefaultWorkingDirectory)/bin/Debug
    artifactName: Debug

    - task: Veracode@3
    inputs:
    ConnectionDetailsSelection: 'Service Connection' # access Veracode with service connection or Veracode API credentials
    AnalysisService: 'Veracode Service Account' # service connection name for accessing Veracode
    veracodeAppProfile: '$(system.teamProject)' # Veracode application profile to scan
    version: '$(build.buildNumber)' # name of the scan to run
    filepath: '$(System.DefaultWorkingDirectory)/bin/Debug' # filepath or folderpath of files to upload to Veracode
    optargs: '-criticality high -include *.dll -exclude *.exe -createsandbox true -sandboxname mysandbox -deleteIncompleteScan 1' # scan criticality is high, include DLL modules, exclude EXE modules, create sandbox mysandbox during scan, delete a scan with status of incomplete, no modules defined, failed, or cancelled
    createSandBox: false # true to scan of new development sandbox
    createProfile: true # false to enforce using existing profiles
    failBuildIfUploadAndScanBuildStepFails: false # true to fail build if Upload and Scan task fails to start
    importResults: true # required to view Veracode results in Azure DevOps
    failBuildOnPolicyFail: false # true to fail the build if application fails policy
    maximumWaitTime: '360' # wait time, in minutes, to fail the build if no scan results available
  9. Optionally, to add debugging to your pipeline, add a new variable and enter these values in the New variable window:

    • Name: system.debug
    • Value: true

Results:

After the scan is complete, in your build definition, you can select the Veracode Scan Summary tab to view the scan results.

Next steps:

If you want to use the Veracode Azure DevOps flaw import feature in your build definition, configure the additional related build variables.