Skip to main content

Configure Pipeline Scan logging

Veracode provides a few configuration options for generating log messages from Pipeline Scans.

To obtain detailed console output during scanning, add the parameter --verbose=true to your pipeline script.

To send logging information to outputs other than the console, you can use the Apache Log4j 2 utility.

To configure logging settings, you can include a Log4j 2 configuration file with the name pipeline.scan.log4j2.properties in the execution directory of pipeline-scan.jar. The configuration file overrides the command-line options.

The following examples show a Java and XML configuration that uses Log4j 2 to:

  • Send verbose and debug messages to the log file pipeline-scan.log.
  • Send information messages to the console.

In both examples, you can turn on log for console by setting logger.file.additivity to true.

pipeline.scan.log4j2.properties example

      # Extra logging related to initialization of Log4j
# Set to debug or trace if log4j initialization is failing
status = warn

# Name of the configuration
name = ConsoleLogForPipelineScan

# Define the output file, e.g. logs/pipeline-scan.log, pipeline-scan.log
property.filename = pipeline-scan.log

# Console appender configuration
appender.console.type = Console
appender.console.name = consoleLogger
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = [%d{dd MMM yyyy HH:mm:ss,SSSS}] PIPELINE-SCAN %p: %m %n

# File appender configuration
appender.file.type = File
appender.file.name = fileLogger
appender.file.fileName = ${filename}
appender.file.layout.type = PatternLayout
appender.file.layout.pattern = [%d{dd MMM yyyy HH:mm:ss,SSSS}] PIPELINE-SCAN %p: %m %n

logger.file.name=PIPELINE_SCAN
logger.file.level = debug
logger.file.additivity = false
logger.file.appenderRef.file.ref = fileLogger

rootLogger.level = info
rootLogger.appenderRef.stdout.ref = consoleLogger

log4j2.xml configuration file example

Alternatively, to use a log4j2.xml configuration file like this example, you must specify the command line option -Dlog4j.configurationFile=[path-to]/log4j2.xml when running a pipeline scan:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="WARN">
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level - %msg%n"/>
</Console>
<File name="File" fileName="pipeline-scan.log" append="true">
<PatternLayout>
<Pattern>%d{HH:mm:ss.SSS} [%t] %-5level - %msg%n</Pattern>
</PatternLayout>
</File>
</Appenders>
<Loggers>
<Logger name="PIPELINE_SCAN" level="debug" additivity="false">
<AppenderRef ref="File"/>
</Logger>
<Root level="info">
<AppenderRef ref="Console"/>
</Root>
</Loggers>
</Configuration>