uploadandscan

The uploadandscan composite action enables you to upload files to Veracode for scanning.

The auto-scan parameter is always set to true (enabled) with the uploadandscan call. In the Veracode Platform, if the Auto-Scan option for a scan configuration is set to Off (disabled), the uploadandscan call overrides the Auto-Scan option.

Important

The Veracode XML APIs and the wrappers use a different syntax. For the wrappers, the parameter names omit the underscores, the parameter values omit spaces, and some parameters use different names. For example, the parameter app_id in the API is appid in the wrapper and the parameter value Very High in the API is VeryHigh in the wrapper. The parameter business_criticality in the API is criticality in the wrapper. The syntax is not interchangeable and using the wrong syntax causes your command to fail. To ensure you are using the correct syntax, see the documentation provided in the Help directory for each wrapper.

Parameters

Name	Type	Description
`appname` Required	String	Name of the application profile.
`createprofile` Required	Boolean	Create a Veracode application profile, if one does not exist, for the specified application profile name. Set to `true` to create a profile. Set to `false` to not create a profile.
`filepath` Required	String	Path of the folders and files you want to upload to Veracode for scanning. By default, the integration uploads all subdirectories and files in this path and includes them in prescan. If a path points to a file, such as `/{project_path}/my_file.xml`, the integration only uploads and prescans that file and ignores the other folders and files in the path. To specify multiple paths in the same command, add each path to a separate `-filepath` parameter. After prescan, Veracode uses the `-include` and `-exclude` parameters, if specified, to determine which uploaded files to scan as top-level modules. Ensure you have prepared the files according to the packaging guidance.
`version` Required	String	Name or version of the build that you want to scan.
`createsandbox`	Boolean	For development sandbox scans, create a sandbox for the specified Veracode application. Set to `true` to create a sandbox. Set to `false` to not create a sandbox.
`criticality`	String	Optional. Required if setting the `createprofile` parameter. The level of criticality of the scan: `VeryHigh`, `High`, `Medium`, `Low`, `VeryLow`
`deleteincompletescan` Only available with the Veracode Java API wrapper.	Integer	Automatically delete an incomplete scan based on its status to allow the `uploadandscan` action to continue processing. You can review the status of a scan in the wrapper logs. To delete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role. One of these values: `0`: do not delete an incomplete scan when running the `uploadandscan` action. The default. If set, you must delete an incomplete scan manually to proceed with the `uploadandscan` action. `1`: delete a scan with a status of incomplete, no modules defined, failed, or canceled to proceed with the `uploadandscan` action. If errors occur when running this action, the Java wrapper automatically deletes the incomplete scan. `2`: delete a scan of any status except Results Ready to proceed with the `uploadandscan` action. If errors occur when running this action, the Java wrapper automatically deletes the incomplete scan.
`exclude`	String	Case-sensitive, comma-separated list of module name patterns that represent the names of modules to not scan as top-level modules. The `*` wildcard matches 0 or more characters. The `?` wildcard matches exactly one character. This parameter applies to all folders and files specified for `-filepath`.
`failbuild` Only available with the Veracode Java API wrapper.	Boolean	Fail the build if any artifacts of your packaged applications fail to upload. The default is `false`.
`include`	String	Case-sensitive, comma-separated list of module name patterns that represent the names of modules to scan as top-level modules. The `*` wildcard matches 0 or more characters. The `?` wildcard matches exactly one character. This parameter applies to all folders and files specified for `-filepath`. To prevent dependencies from being included in the scan, ensure your wildcard patterns only match the intended top-level modules.
`includenewmodules`	Boolean	If `scanallnonfataltoplevelmodules` is set to `true`, also set this parameter to `true` to automatically select all new top-level modules for inclusion in the scan. By default, the scan only includes previously selected modules.
`lifecyclestage`	String	One of these lifecycle stage values: `NotSpecified`, `InDevelopmentPreAlpha`, `InternalOrAlphaTesting`, `ExternalOrBetaTesting`, `DeployedInProductionAndActivelyDeveloped`, `MaintenanceOnlyBugFixes`, `CannotDisclose`
`pattern`	String	Case-sensitive filename pattern that represents the names of uploaded files to save with a different name. The `*` wildcard matches 0 or more characters. The `?` wildcard matches exactly one character. Each wildcard corresponds to a numbered group that you can reference in the replacement pattern.
`publishedscansonly`	Boolean	Set to `true` to only include completed, or published, scans in the results. If there are no published scans, for example, scans are in progress or not available, the results are empty. Default is `false`.
`replacement`	String	Replacement pattern that references groups captured by the filename pattern. For example, if the filename pattern is `--SNAPSHOT.war` and the replacement pattern is `$1-master-SNAPSHOT.war`, an uploaded file named `app-branch-SNAPSHOT.war` is saved as `app-master-SNAPSHOT.war`.
`sandboxid`	Integer	ID of the sandbox in which to run the scan.
`sandboxname`	String	Name of the sandbox in which to run the scan.
`scanallnonfataltoplevelmodules`	Boolean	If there are no fatal errors in the selected modules, this parameter does not have any effect. When set to `true`, if there are fatal errors in some of the selected modules, this parameter removes the errors from the selected modules and continues the scan of the nonfatal selected modules. When set to `false`, if there are fatal errors in some of the selected modules, this parameter stops the scan.
`scanpollinginterval` Only available with the Veracode Java API wrapper.	Integer	Interval, in seconds, to poll for the status of a running scan. Value range is `30` to `120` (two minutes). Default is `120`.
`scantimeout`	Integer	Number of minutes to wait for the scan to complete and pass policy. If the scan does not complete or fails policy, the build fails.
`selected`	Boolean	Set to `true` to scan the modules currently selected in the Veracode Platform.
`selectedpreviously`	Boolean	Set to `true` to scan only the modules selected in the previous scan.
`teams`	String	Comma-separated list of team names associated with the specified application. Validates against the names of existing teams for this account.
`toplevel`	Boolean	When set to `true`, Veracode only scans the top-level modules in your files. Veracode recommends that you include this parameter if you want to ensure the scan completes even though there are non-fatal errors, such as unsupported frameworks.
`repourl` Only available with the Veracode Java API wrapper.	String	Update the Git repo URL for the application profile specified for `appname`. In the Veracode Platform, on the page for the application profile, the URL replaces the value in the GIT Repo URL field under Metadata. Enter a Git or HTTP URL. For example: `- repourl git://github.io/example/repo.git` `- repourl https://github.io/example/repo.git`

`uploadandscan` examples

Veracode recommends that you use an external API credentials file to provide your credentials to the API wrapper. When you use an API credentials file, you can omit the -vid and -vkey parameters.

Java wrapper examples

Send the following request to:

Create an application profile named myapp with a Very High criticality that is visible to the team myteam.
Upload and scan files myapp.jar from the first path and sample.zip from the second path.
Create a development sandbox scan named mysandbox that only includes modules selected in the previous scan.
Wait 30 minutes for the scan to complete.

java -jar vosp-api-wrapper-java{version}.jar -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -sandboxname mysandbox -createsandbox true -version {build_version) -scantimeout 30 -selectedpreviously true -filepath /{project_path1}/myapp.jar -filepath /{project_path2}/sample.zip

To apply the same parameters from the previous example, but upload all folders and files from the specified path, and include all JAR files in the scan, send the following request:

java -jar vosp-api-wrapper-java{version}.jar -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -sandboxname mysandbox -createsandbox true -version {build_version) -scantimeout 30 -selectedpreviously true -filepath /{project_path}/ -include *.jar

To apply the same parameters from the previous example, but upload all folders and files from the specified path, and include the files sample1.jar and sample2.jar in the scan, send the following request:

java -jar vosp-api-wrapper-java{version}.jar -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -sandboxname mysandbox -createsandbox true -version {build_version} -scantimeout 30 -selectedpreviously true -filepath /{project_path}/ -include sample1.jar,sample2.jar

C# wrapper examples

Send the following request to:

Create an application profile named myapp with a Very High criticality that is visible to the team myteam.
Create a development sandbox scan named mysandbox that only includes modules selected in the previous scan.
Wait 30 minutes for the scan to complete.
Upload all files from the specified path.
Include all EXE files in the scan.

VeracodeC#API.exe -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -sandboxname mysandbox -createsandbox true -version {build_version} -selectedpreviously true -scantimeout 30 -filepath /{project_path}/ -include *.exe

To apply the same parameters from the previous example, but upload all folders and files from the specified path, and include the files sample1.dll and sample2.dll in the scan, send the following request:

VeracodeC#API.exe -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -sandboxname mysandbox -createsandbox true -version {build_version} -selectedpreviously true -scantimeout 30 -filepath /{project_path}/ -include sample1.dll,sample2.dll

To apply the same parameters from the previous example, but only upload and scan the file sample1.dll from the first path, upload all folders and files from the second path, and include files sample2.dll and sample3.pdb in the scan, send the following request:

VeracodeC#API.exe -action uploadandscan -vid {Veracode_API_ID} -vkey {Veracode_API_key} -appname myapp -createprofile true -criticality VeryHigh -teams myteam -version {build_version} -selectedpreviously true -scantimeout 30 -filepath /{project_path1}/sample1.dll -filepath /{project_path2}/ -include sample2.dll,sample3.pdb

Parameters​

uploadandscan examples​

Java wrapper examples​

C# wrapper examples​

Did you find this helpful?

Parameters

`uploadandscan` examples

Java wrapper examples

C# wrapper examples