AWS CodeStar

You can use Veracode for AWS CodeStar to seamlessly integrate Veracode Static Analysis and Veracode Software Composition Analysis (SCA) agent-based scans with your Amazon Web Services (AWS) pipelines.

This table describes the workflows for integrating the supported scan types:

Scan Type	Integration Workflow
Veracode Static Analysis	The general workflow for integrating static analysis, using a policy or development sandbox, into your AWS pipeline: Configure a new or existing CodeBuild project that includes the Java API wrapper Docker image. Configure the CodeBuild project to include your Veracode API credentials and the command for calling the Java API wrapper. Add the CodeBuild project to a stage in your pipeline that runs after the stage that builds your application. The API commands upload the build output from the application build stage to Veracode for analysis.
Veracode Software Composition Analysis	The general workflow for integrating SCA into your AWS pipeline: Configure a new or existing CodeBuild project that includes a Docker image for including SCA. Configure the CodeBuild project to include your Agent-Based Scanning API token, environment variables for accessing your source code management (SCM) system, and the command for installing agent-based scanning for performing SCA. Add the CodeBuild project to a stage in your pipeline that runs after the stage that builds your application. Agent-based scanning performs SCA on the build output from the application build stage.

Simple AWS pipeline stage example

To add Veracode security scanning to AWS, create an AWS pipeline with two build stages:

• Build stage: builds the application you want to analyze.
• Security stage: receives the build output from the Build stage. The Security stage include two actions for both the static analysis and SCA build projects:
  • An action that uses the Java API wrapper to upload the build output to Veracode for static analysis.
  • An action that uses agent-based scanning to perform SCA on the build output.

Configure an AWS pipeline for Veracode security scanning

You configure a new or existing pipeline in AWS CodePipeline that includes a build stage for performing Veracode Static Analysis and Veracode Software Composition Analysis (SCA) agent-based scans of your application build output. These analyses can run in the same stage or different stages, but you must place them in the pipeline after the application build stage.

This procedure applies to a new or existing pipeline in AWS CodePipeline. For a new pipeline, you complete each section on the Create new pipeline page, then select Next to proceed and save the configuration. For an existing pipeline, you edit each pre-configured section, including actions, on a separate page, then select Done to save the configuration.

To complete this task:

1. In AWS, configure a new or existing pipeline. If you use an existing pipeline, ensure the pipeline has a stage for building the application you want to scan.

2. Add a stage with an action that specifies the location of your application source to include in the build.

3. Add a stage with an action that builds the application. For Output artifacts, enter a name for the compiled build output. You specify this value in the next stage for Veracode security scanning.

4. Configure a stage with an action for performing Veracode security scanning.

   note

   The Veracode security scanning stage scans the build output from the stage that builds the application. You must ensure that you place the Veracode security scanning stage after the application build stage.

   The following fields require specific values:

• Input artifacts: specify the value from the Output artifacts field in the previous stage for building the application.
• Project name: specify the name of your static analysis build project or SCA build project. If you have not created a build project, or the project is not available from the dropdown menu, select Create project. If you want to add both projects to the same stage, add a separate action for each build project.
• Output artifacts: leave this field empty. The build projects for Veracode scanning do not generate output artifacts. You can view the scan results in the Veracode Platform.

Task result:

After you complete this task, you have a pipeline that contains three build stages. For example:

• Source stage: contains an action that specifies the GitHub repository where the application source code is stored.
• Build stage: contains an action that specifies an AWS CodeBuild project for building the application. It uses the required build configuration and the name for the output artifacts.
• Security stage: contains two actions for scanning the build output:
  • An action that specifies the name of an AWS CodeBuild project for performing static analysis.
  • An action that specifies the name of an AWS CodeBuild project for performing SCA agent-based scan.

Next steps:

Review the scan results in the Veracode Platform.

Configure an AWS CodeBuild project for Static Analysis

You configure a new or existing build project in AWS CodeBuild that includes the Veracode Java API wrapper, your Veracode API credentials, and the Veracode API commands to call for performing static analysis. You add the build project to a pipeline stage in CodePipeline for analyzing the build output from your application build stage.

This procedure applies to both new and existing build projects. For a new project, you complete each section on the Create build project page, then select Create build project to save the configuration and build the project. For an existing project, you edit each pre-configured section on a separate page, then select Update after completing your edits.

Before you begin:

• Generate Veracode API credentials.
• Store Veracode API credentials securely using AWS System Manager Parameter Store or the AWS Secrets Manager.
• If you are performing static analysis using a development sandbox, configure the sandbox you want to use.
• Compile and package your application source files according to the packaging requirements.
• Ensure you have access to the Veracode Java API wrapper Docker image.

To complete this task:

1. In AWS, create or edit a build project.

2. In the build project, configure the Project configuration and Source sections for your development environment.

3. In the Environment section, under Environment image, reference the Veracode Java API wrapper Docker image.

4. Expand Additional configuration.

5. In the Environment variables section, add environment variables for the API ID and API key for your Veracode API credentials.

   For example, you can enter a VID variable for the API ID and a VKEY variable for the API key. The values specify the location of the actual API ID and API key. If your credentials are stored in the AWS System Manager Parameter Store, select the Parameter type for both variables. If your credentials are stored in AWS Secrets Manager, set the type to Secrets Manager.

6. In the Buildspec section, enter the Java API wrapper commands. For example:

   java -jar /opt/veracode/api-wrapper.jar -action uploadandscan -vid $VID -vkey $VKEY -appname verademo-java -createprofile false -version $(date +%Y-%m-%d-%H:%M) -filepath target/verademo.war -sandboxname aws-codebuild -createsandbox true

   This example command references the API wrapper JAR file, which is contained in a veracode directory in the Docker image, and calls the uploadandscan call in a development sandbox. The values for the -vid and -vkey parameters are the VID and VKEY environment variable names defined in the Environment variables section.

   note

   To ensure your Veracode API credentials are stored securely, Veracode recommends that you do not store them in the build specification as plain text.

7. Optionally, in the Logs section, select to upload the build logs to CloudWatch or S3. The logs include build output for the API wrapper, which you can view in the build history for troubleshooting purposes.

8. To ensure it is configured correctly, build your project.

9. Review the build log and resolve any build errors.

Next steps:

Add this build project to a new or existing stage in a new or existing pipeline. In the pipeline, the stage to which you add this build project must run after the stage that builds your application.

Configure an AWS CodeBuild project for SCA

You configure a new or existing build project in AWS CodeBuild project that performs Veracode Software Composition Analysis (SCA) agent-based scans. You add the build project to a pipeline stage in CodePipeline to analyze the build output from your application build stage.

This procedure applies to both new and existing build projects. For a new project, you complete each section on the Create build project page and, then, select Create build project to save the configuration and build the project. For an existing project, you edit each pre-configured section on a separate page and, then, select Update after completing your edits.

Before you begin:

• Generate Veracode API credentials.
• Configure agent-based scanning.
• Generate your agent-based scanning API token. Your token is stored securely as an environment variable in AWS System Manager Parameter Store or AWS Secrets Manager.
• Compile and package your application source files according to the packaging requirements.

To complete this task:

1. In AWS, create or edit a build project to use for SCA.

2. In the build project, configure the Project configuration, Source, and Environment sections for your development environment.

   Veracode recommends that the environment settings in this build project match the environment settings in the build project for building your application. For example, if you use a specific Docker image for your build project, reference that same image in this section.

3. In the Environment section, expand Additional configuration.

4. To specify your agent-based scanning API token, add this environment variable in the Environment variables section:

   a. Name: enter SRCCLR_API_TOKEN.

   b. Value: enter your authentication token. For example, the location, name, or variable.

   c. Type: select Parameter.

5. Select Add environment variable to add additional environment variables required for accessing your source code management (SCM) system.

6. To specify the SRCCLR_SCM_REV variable and to run SCA, add the following commands in the Buildspec section:

   phases:
     build:
       commands:
         - export SRCCLR_SCM_REV="${CODEBUILD_RESOLVED_SOURCE_VERSION}"
         - curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

   The value of the SRCCLR_SCM_REV variable points to the commit ID of the application version checked out in CodePipeline during each build. Because the value is dynamic, instead of static, you must specify it in the build specification. Also, if you add this build project and the build project for static analysis to the same build stage, the SRCCLR_SCM_REV variable ensures that both projects can run concurrently.

7. Save or update the build project.

8. To ensure your build project is configured correctly, build your project.

9. To identify any build errors, review the build log.

Next steps:

• Add this build project to a new or existing stage in a new or existing pipeline. In the pipeline, the stage to which you add this build project must run after the stage that builds your application.
• Optionally, to fail the build if the application fails to pass the Veracode analysis stage, in the Veracode Platform, configure a custom rule.