Skip to main content

Pipeline Scan examples

To help you integrate Veracode Pipeline Scan into your development environments, this section provides example configuration scenarios that demonstrate a few common configurations you can use as a reference.

For code examples that you can use as templates to add Pipeline Scan to a job or stage in your development pipelines, select from the following CI/CD and source code management (SCM) tools. Ensure you add the Pipeline Scan stage after the stage that builds your application.

The code examples include scripts to download and extract the pipeline-scan-LATEST.zip archive to ensure your pipeline is using the latest files. The README file in the pipeline-scan-LATEST.zip archive also contains these examples. For improved stability, we recommend that you change these scripts to use the Pipeline Scan Docker image.

For example scan results output, see the example scan results.

For additional code examples or to ask questions, visit the Veracode Community.

Example configuration scenarios

This section provides a few configuration scenarios that you can use when deciding how you want to implement a Pipeline Scan in your development environment. You add these scenarios to a stage in your pipeline that runs after the stage for building your application.

Report flaws that violate policy and proceed regardless of the results

  1. Define the policy criteria with the --fail_on_severity and --fail_on_cwe parameters, or use the --policy_file or --policy_name parameters to specify a security policy.
  2. Initiate the Pipeline Scan on the built application.
  3. After the Pipeline Scan stage runs, proceed to the next stage, ignoring any exit code from the Pipeline Scan stage. Veracode identifies this scenario as allow failure. Implementation details vary for each CI system.

Fail the Pipeline Scan stage if flaws violate policy (break the build)

  1. Define the policy criteria with the --fail_on_severity and --fail_on_cwe parameters, or with a security policy using the --policy_file or --policy_name parameters.
  2. Initiate the Pipeline Scan on the built application.
  3. The Pipeline Scan stage fails if it finds any flaws matching the defined criteria. The exit code reports the number of flaws, up to 200.
  4. The Pipeline Scan stage fails if it finds any flaws matching the defined criteria. The exit code reports the number of flaws, up to 200.
  5. The Pipeline Scan stage passes if it does not find flaws matching the defined criteria.

Fail the Pipeline Scan stage if new flaws violate policy (break the build)

  1. Include a baseline file, either as an artifact from a previous build or the project repository, to establish a set of known flaws for the scanned application.
  2. Define the policy criteria with the --fail_on_severity and --fail_on_cwe parameters, or with a security policy using the --policy_file or --policy_name parameters. Include the baseline file using the -bf parameter.
  3. Initiate the Pipeline Scan on the built application.
  4. The Pipeline Scan stage fails if it finds any flaws matching the defined criteria that are not present in the baseline file. The exit code reports the number of flaws, up to 200.
  5. The Pipeline Scan stage passes if it does not find flaws that match the defined criteria or if the baseline file includes all the flaws.
Last updated on