JetBrains TeamCity

You can use the Veracode TeamCity Plugin to integrate Veracode Static Analysis with your build process.

You can use the plugin to perform these tasks:

• Synchronously scan and provide results.
• Stop the build if the Veracode scan results violate the security policy.
• Run a scan in a sandbox.
• Create an application profile if one does not already exist.

Supported versions

TeamCity Enterprise 2022.10, 2023.05, 2023.11, 2024.03, and 2024.07

Supported libraries

Java 8 and 11

Prerequisites

Before you can install and use the TeamCity Plugin, you must have:

• Packaged your application code to include the required debug symbols, as described in the packaging requirements. For a .NET application, use Veracode Static for Visual Studio to prepare a build. To automate building a .NET application, you can precompile it with the Microsoft Build Engine (MSBuild).
• Signed in to TeamCity as an administrator.
• Generated API credentials.
• One of the following Veracode account types:

  • A user account with these roles:

    • Creator or Security Lead role to be able to create application profiles, and upload and scan applications.
    • Submitter role to create a new scan for an existing application and upload and scan these applications.
    • Reviewer role to check scan completion.

  • An API service account with these API roles:

    • Upload API to create application profiles, create sandboxes, and upload and scan applications.
    • Upload API - Submit Only to submit scans.
    • Results API to check scan completion.
• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The APIs use these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.

Install the Veracode TeamCity Plugin

You can download the Veracode TeamCity Plugin ZIP file from the JetBrains Marketplace.

To complete this task:

1. Download the TeamCity plugin ZIP file from the JetBrains Marketplace.

2. Copy the plugin ZIP file to the directory {TeamCity_data_directory}/plugins.

   note

   Do not rename the plugin ZIP file.

3. Restart the TeamCity server.

4. To ensure you successfully installed the plugin, select Administration > Plugins List.

Configure TeamCity global settings

You can configure TeamCity to customize the integration of the Veracode TeamCity Plugin.

To complete this task:

1. In the Integrations section of the Administration page, select Veracode to display the global configuration settings.

2. In the Fail Build section, ensure the checkbox is selected to cause TeamCity to fail the build if the Veracode upload and scan task fails.

3. In the Veracode Credentials section, enter your API credentials.

4. In the Default Values section, select the checkbox to apply defaults to all applications for all TeamCity jobs for these settings:

   • Use the TeamCity project name as the default name for new applications. You can override this setting for individual projects.
   • Use the TeamCity server workspace path and IP address as the default application description. For example: TeamCity-URL: http://localhost:8080/ Host-Name: user-1234 Workspace-Path:C:\TeamCity\buildAgent\work\8948ef41a3f17e4e (Auto-generated by Veracode Teamcity Plugin)
   • Use the TeamCity project build number as the default scan name. You can override this setting for individual projects.

5. In the Debug section, select the Run in debug mode checkbox to run in debug mode. If you select this option, TeamCity collects detailed information about Veracode scans and stores the information in the console log of each TeamCity project.

6. If you intend to connect using a proxy, in the Proxy Settings section, select the Use Proxy checkbox. Then, provide the specific host, port, username, and password settings for global use in TeamCity.

7. Optionally, select Test connection to confirm that you can connect to the Veracode Platform using the Veracode credentials you provided.

8. Select Save.

Configure a TeamCity project for Veracode scans

You can configure TeamCity jobs to upload binaries to Veracode for scanning. When you perform a Veracode scan, you use your same TeamCity build process, but add a build step for the Veracode parameters.

Before you begin:

If you want your project to include automatic deletion of incomplete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role.

To complete this task:

1. Open the TeamCity project to which you want to apply the Veracode settings.
2. Select Edit Configuration Settings in the top-right corner.
3. In Build Steps, select Add build step.
4. From the dropdown menu, select Upload and Scan with Veracode.
5. In the Application Name field, enter the name of the application you want Veracode to scan.
6. Optionally, if the specified Veracode application does not already exist, select Create New.
7. If applicable, enter the name of the team associated with the scan. To enter more than one team, use a comma-separated list.
8. From the Business Criticality menu, select the level of criticality of this application.
9. In the development sandbox Name field, enter the name of the sandbox in which you want to run the scan as a sandbox scan.
10. Select the Create Sandbox checkbox if the sandbox does not already exist, but is a new sandbox you want TeamCity to create.
11. In the Scan Name field, enter a name for the static scan you want to submit to Veracode for this application.
12. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan. Use a comma-separated list of Ant-style include patterns relative to the job workspace project name that you entered in the Project Name field.
13. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules. Use a comma-separated list of Ant-style include patterns with only the filenames of the files you have uploaded, not the filepaths.
14. Optionally, use the Save As fields to automatically remove characters from the filenames you are uploading, such as version numbers in this example: teamcity-plugin-1.2.0.jar. In the Filename Pattern field, enter the filename and replace the text you want to always remove with two asterisks, such as in this example: teamcity-plugin**.jar. In the Replacement Pattern field, enter the filename to which you want to rename your files, as in this example: teamcity-plugin.jar.
15. Select the Wait for scan to complete checkbox if you want the TeamCity build to wait for the Veracode scan to complete. Enter the timeout period (in minutes) that you want TeamCity to wait. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.
16. For Delete Incomplete Scan, select an option for automatically deleting an incomplete scan, based on its status, to allow the uploadandscan action to continue processing. Default is 0, which specifies to not delete an incomplete scan.
17. For Veracode Credentials, enter your API credentials. If you entered these credentials on the Veracode administration page, you can select the Use global Veracode user credentials checkbox. The credentials you enter here override the global credentials.
18. Select Save.
19. Review all the build steps and select Run.

You can select the blue ? icons in the field names to see more information.

Uninstall the Veracode TeamCity Plugin

You can uninstall the Veracode TeamCity Plugin to remove Veracode scanning from your TeamCity projects.

To complete this task:

1. In TeamCity, select Administration > Plugins List > External plugins.

2. Delete the plugin ZIP file from the directory {TeamCity data directory}/plugins.

3. Delete the VeracodeGlobal.properties file:

   • On Windows, C:\ProgramData\JetBrains\TeamCity\config
   • On Linux, {TeamCity data directory}/.BuildServer/config

4. Restart the TeamCity server.