JetBrains TeamCity

You can use the Veracode TeamCity Plugin to integrate Veracode Static Analysis with your build process.

You can use the plugin to perform these tasks:

• Synchronously scan and provide results.
• Stop the build if the Veracode scan results violate the security policy.
• Run a scan in a sandbox.
• Create an application profile if one does not already exist.

Supported versions

TeamCity Enterprise 2023.05, 2023.11, 2024.03, 2024.07, 2024.12, and 2025.03

Supported libraries

Java 8 and 11

Prerequisites

Before you can install and use the TeamCity Plugin, you must have:

• Packaged your application code to include the required debug symbols, as described in the packaging requirements. For a .NET application, use Veracode Static for Visual Studio to prepare a build. To automate building a .NET application, you can precompile it with the Microsoft Build Engine (MSBuild).
• Signed in to TeamCity as an administrator.
• Generated API credentials.
• One of the following Veracode account types:

  • A user account with these roles:

    • Creator or Security Lead role to be able to create application profiles, and upload and scan applications.
    • Submitter role to create a new scan for an existing application and upload and scan these applications.
    • Reviewer role to check scan completion.

  • An API service account with these API roles:

    • Upload API to create application profiles, create sandboxes, and upload and scan applications.
    • Upload API - Submit Only to submit scans.
    • Results API to check scan completion.
• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The APIs use these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.

Install the Veracode TeamCity Plugin

You can download the Veracode TeamCity Plugin ZIP file from the JetBrains Marketplace.

To complete this task:

1. Download the TeamCity plugin ZIP file from the JetBrains Marketplace.

2. Copy the plugin ZIP file to the directory {TeamCity_data_directory}/plugins.

   note

   Do not rename the plugin ZIP file.

3. Restart the TeamCity server.

4. To ensure you successfully installed the plugin, select Administration > Plugins List.

Configure TeamCity global settings

You can configure TeamCity to customize the integration of the Veracode TeamCity Plugin.

To complete this task:

1. In the Integrations section of the Administration page, select Veracode to display the global configuration settings.

2. In the Fail Build section, ensure the checkbox is selected to cause TeamCity to fail the build if the Veracode upload and scan task fails.

3. In the Veracode Credentials section, enter your API credentials.

4. In the Default Values section, select the checkbox to apply defaults to all applications for all TeamCity jobs for these settings:

   • Use the TeamCity project name as the default name for new applications. You can override this setting for individual projects.
   • Use the TeamCity server workspace path and IP address as the default application description. For example: TeamCity-URL: http://localhost:8080/ Host-Name: user-1234 Workspace-Path:C:\TeamCity\buildAgent\work\8948ef41a3f17e4e (Auto-generated by Veracode Teamcity Plugin)
   • Use the TeamCity project build number as the default scan name. You can override this setting for individual projects.

5. In the Debug section, select the Run in debug mode checkbox to run in debug mode. If you select this option, TeamCity collects detailed information about Veracode scans and stores the information in the console log of each TeamCity project.

6. If you intend to connect using a proxy, in the Proxy Settings section, select the Use Proxy checkbox. Then, provide the specific host, port, username, and password settings for global use in TeamCity.

7. Optionally, select Test connection to confirm that you can connect to the Veracode Platform using the Veracode credentials you provided.

8. Select Save.

Configure TeamCity Cloud for Veracode scans

TeamCity Cloud uses project-level Veracode connections to securely manage API credentials. This replaces the global plugin settings used in on-premises TeamCity.

A Veracode connection securely stores API credentials and configuration for authentication. Once created, the connection is available to build steps within that project and its subprojects.

To complete this task:

1. In TeamCity Cloud, go to your project.
2. Select Edit Project Settings.
3. In the left pane, select Connections.
4. Select Add Connection.
5. From the Connection Type dropdown, select Veracode.
6. Enter a name for the connection. This name appears in Veracode build step configuration menus.
7. Enter your Veracode API ID and API Key.
8. Select Test Connection to validate the credentials.
9. Select Save.

note

• When configuring a Veracode build step, select the Veracode connection you created.
• TeamCity Cloud does not support global proxy settings for Veracode.

Configure a TeamCity project for Veracode scans

You can configure TeamCity jobs to upload binaries to Veracode for scanning. When you perform a Veracode scan, you use your same TeamCity build process, but add a build step for the Veracode parameters.

Before you begin:

If you want your project to include automatic deletion of incomplete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role.

To complete this task:

1. Open the TeamCity project to which you want to apply the Veracode settings.
2. Select Edit Configuration Settings in the top-right corner.
3. In Build Steps, select Add build step.
4. From the dropdown menu, select Upload and Scan with Veracode.
5. In the Application Name field, enter the name of the application you want Veracode to scan.
6. Optionally, if the specified Veracode application does not already exist, select Create New.
7. If applicable, enter the name of the team associated with the scan. To enter more than one team, use a comma-separated list.
8. From the Business Criticality menu, select the level of criticality of this application.
9. In the development sandbox Name field, enter the name of the sandbox in which you want to run the scan as a sandbox scan.
10. Select the Create Sandbox checkbox if the sandbox does not already exist, but is a new sandbox you want TeamCity to create.
11. In the Scan Name field, enter a name for the static scan you want to submit to Veracode for this application.
12. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan. Use a comma-separated list of Ant-style include patterns relative to the job workspace project name that you entered in the Project Name field.
13. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules. Use a comma-separated list of Ant-style include patterns with only the filenames of the files you have uploaded, not the filepaths.
14. Optionally, use the Save As fields to automatically remove characters from the filenames you are uploading, such as version numbers in this example: teamcity-plugin-1.2.0.jar. In the Filename Pattern field, enter the filename and replace the text you want to always remove with two asterisks, such as in this example: teamcity-plugin**.jar. In the Replacement Pattern field, enter the filename to which you want to rename your files, as in this example: teamcity-plugin.jar.
15. Select the Wait for scan to complete checkbox if you want the TeamCity build to wait for the Veracode scan to complete. Enter the timeout period (in minutes) that you want TeamCity to wait. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.
16. For Delete Incomplete Scan, select an option for automatically deleting an incomplete scan, based on its status, to allow the uploadandscan action to continue processing. Default is 0, which specifies to not delete an incomplete scan.
17. For Veracode Credentials, enter your API credentials. If you entered these credentials on the Veracode administration page, you can select the Use global Veracode user credentials checkbox. The credentials you enter here override the global credentials.
18. Select Save.
19. Review all the build steps and select Run.

You can select the blue ? icons in the field names to see more information.

Veracode TeamCity Plugin script parameters

This table describes the parameters and their values for using the TeamCity plugin in a build script.

Parameter	Type	Description
Step Name	String	Optional. Use to distinguish this build step from other steps.
Step ID Required	String	Unique identifier for the step. Typically matches the Step Name. Used in URLs, REST API, DSL, HTTP requests, and TeamCity configuration settings. Must be unique across all steps in the configuration.
applicationName Required	String	Name of the application profile.
CreateApplication	Boolean	Set to true to create a new application if no matching application exists on the Veracode Platform. If false and no match is found, the build fails.
teams	String	Comma-separated list of team names associated with the application. Team names must already exist in your Veracode account. Required unless your user role is Security Lead. If omitted, the build fails. Team names are case-sensitive and must match exactly. If any team name does not exist, the build fails.
scanName Required	String	Name of the scan. You can enter the $buildnumber or $projectname variables to dynamically bind the build number or project name to the scan name, instead of using a fixed scan name. Equivalent to Version or Build in the Veracode API.
criticality	String	Required if you include the CreateApplication parameter. Business criticality level of the scan: VeryHigh, High, Medium, Low, VeryLow.
sandboxName	String	For development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandbox to create it with the specified name. If empty, no sandbox is used.
createSandbox	Boolean	Set to true to create a sandbox for the specified Veracode application. Set to false to not create a sandbox. If true, TeamCity creates a new sandbox when you provide a sandbox name and no matching sandbox exists on the Veracode Platform. If false and you provide a sandbox name but no matching sandbox exists, the TeamCity build fails.
uploadIncludesPattern Required	String	Include filepath patterns of the files you want to upload and scan. Use a comma-separated list of Ant-style include patterns relative to the build workspace directory. If empty, all files in the workspace root are included.
uploadExcludesPattern	String	Exclude filepath patterns of the files you do not want to upload and scan. Use a comma-separated list of Ant-style include patterns relative to the job workspace directory. If empty, no files are excluded.
scanIncludesPattern	String	Case-sensitive, comma-separated list of module name patterns that represent the names of modules to scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character. If empty, all uploaded files are scanned.
scanExcludesPattern	String	Case-sensitive, comma-separated list of module name patterns that represent the names of modules to not scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character. If empty, no files are excluded.
fileNamePattern	String	Case-sensitive filename pattern that represents the names of uploaded files to save with a different name. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character. Each wildcard corresponds to a numbered group that you can reference in the replacement pattern.
replacementPattern	String	Replacement pattern that references groups captured by the filename pattern. For example, if the filename pattern is --SNAPSHOT.war and the replacement pattern is $1-master-SNAPSHOT.war, an uploaded file named app-branch-SNAPSHOT.war is saved as app-master-SNAPSHOT.war.
waitForScan	Boolean	Set to true to submit the scan and have the TeamCity build wait for the amount of time, in minutes, specified for the timeout parameter. If the scan does not complete and pass policy compliance within the specified time, the build fails.
timeout	Integer	Number of minutes to wait for the scan to complete and pass policy. If the scan does not complete or fails policy, the build fails. Default is 60 minutes.
deleteIncompleteScanLevel	String	Automatically delete an incomplete scan based on its status to allow the uploadandscan action to continue processing. You can review the status of a scan in the TeamCity build logs. To delete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role. One of these values: 0: do not delete an incomplete scan when running the uploadandscan action. The default. If set, you must delete an incomplete scan manually to proceed with the uploadandscan action. 1: delete a scan with a status of incomplete, no modules defined, failed, or canceled to proceed with the uploadandscan action. If errors occur, the TeamCity plugin automatically deletes the incomplete scan. 2: delete a scan of any status except Results Ready to proceed with the uploadandscan action. If errors occur, the TeamCity plugin automatically deletes the incomplete scan.
maxretrycount	Integer	Number of times to retry requests that fail due to certain error conditions. This parameter now retries failed requests. Previously, it polled for failed build status and applied only to the uploadandscan action.
UseGlobalCredentials	Boolean	Set to true to apply global credentials for the scan. If false, you can manually provide API ID and API Key.
useProxy	Boolean	Set to true if using a proxy to access Veracode. Requires pHost, pPort, pUser, and pPassword.
pHost	String	Required if you include the useProxy parameter. Hostname of your proxy host.
pPort	Integer	Required if you include the useProxy parameter. Port number for the proxy host.
pUser	String	Required if you include the useProxy parameter. Username for the proxy host.
pPassword	String	Required if you include the useProxy parameter. Password for the proxy host.
canFailJob	Boolean	Set to true if you want the entire TeamCity build to fail if the upload and scan with Veracode action fails. If set to false and the upload and scan with Veracode action fails, TeamCity completes the build, logs the failure, but does not notify you about the failure.
vid Required	String	Veracode API ID. If your credentials are bound to environment variables, the environment variable is bound to the API ID.
vkey Required	String	Veracode API key. If you bound your credentials, the environment variable bound to the API key.
debug	Boolean	Set to true to include detailed build information in the TeamCity build logs for debugging. Set to false to not include detailed build information in the logs.
ScanAllNonFatalTopLevelModules	Boolean	If fatal errors do not exist in the selected modules, this parameter does not have any effect. If set to true and fatal errors exist in any of the selected modules, this parameter removes the errors and continues the scan of the nonfatal selected modules. If set to false and fatal errors exist in any of the selected modules, this parameter stops the scan.
IncludeNewModules	Boolean	If ScanAllNonFatalTopLevelModules is set to true, set this parameter to true to include all the new top-level modules in the scan. The scan also includes previously selected modules by default. Note: If ScanAllNonFatalTopLevelModules is set to false, this parameter is set to false by default.

Uninstall the Veracode TeamCity Plugin

You can uninstall the Veracode TeamCity Plugin to remove Veracode scanning from your TeamCity projects.

To complete this task:

1. In TeamCity, select Administration > Plugins List > External plugins.

2. Delete the plugin ZIP file from the directory {TeamCity data directory}/plugins.

3. Delete the VeracodeGlobal.properties file:

   • On Windows, C:\ProgramData\JetBrains\TeamCity\config
   • On Linux, {TeamCity data directory}/.BuildServer/config

4. Restart the TeamCity server.