Veracode Jenkins Plugin

Build and Release Management

The Veracode Jenkins Plugin integrates with your Jenkins development pipelines to seamlessly automate the operations for building, uploading, and scanning your application code.

Starting with version 20.6.10.0 of the Veracode Jenkins Plugin, Veracode distributes the plugin as open source under an MIT license. You can download the plugin source code from GitHub. On the Jenkins Marketplace and in the Jenkins Plugin Manager, the plugin name is Veracode Scans.

The Veracode Jenkins Plugin supports the Jenkins pipeline functionality and the ability to bind your Veracode API credentials to build environment variables.

The Veracode Jenkins Plugin contains the Java API wrapper and uses the uploadandscan composite action from the wrapper to upload your code to Veracode for scanning. By default, the uploadandscan composite action is set to autoscan, which starts the scan automatically after the prescan. However, the prescan must meet the Veracode Static Analysis scanning requirements. Before running your automation, perform a prescan verification. Since the uploadandscan composite action runs through the Java API wrapper, the wrapper returns a non-zero integer exit code when a command fails. These are the exit codes:

  • 1 = Invalid input
  • 2 = API internal error
  • 3 = Incorrect file format of the CSV file referred to in the -inputfilepath parameter
  • 4 = The scan did not pass policy compliance. This code only applies to an uploadandscan composite action that specifies the scantimeout parameter.

The Veracode API wrappers return errors for missing required parameters and unrecognized parameters. They do not return errors on defined API parameters that are not valid for use with the specified action. For example, if an API wrapper takes sandboxid as an optional parameter and you supply sandboxname in error, the wrapper ignores sandboxname and executes. You can verify the list of valid parameters in the console.