Skip to main content

uploadandscan

The uploadandscan composite action enables you to upload files to Veracode for scanning.

The auto-scan option is always set to on with the uploadandscan call.

note

The Veracode XML APIs and the wrappers use a different syntax. For the wrappers, the parameter names omit the underscores, the parameter values omit spaces, and some parameters use different names. For example, the parameter app_id in the API is appid in the wrapper and the parameter value Very High in the API is VeryHigh in the wrapper. The parameter business_criticality in the API is criticality in the wrapper. The syntax is not interchangeable and using the wrong syntax causes your command to fail. To ensure you are using the correct syntax, see the documentation provided in the Help directory for each wrapper.

Parameters

NameTypeDescription
appname
Required
StringName of the Veracode application profile.
createprofile
Required
BooleanCreate a Veracode application profile, if one does not exist, for the specified application profile name. Set to true to create a profile. Set to false to not create a profile.
filepath
Required
StringFilepath or folderpath of the files you want to upload to Veracode for scanning. By default, the integration uploads all the subdirectories and files of this filepath. Ensure you have prepared the files according to the Packaging GuidanceVeracode Packaging Requirements.
version
Required
StringName or version of the build that you want to scan.
createsandboxBooleanFor development sandbox scans, create a sandbox for the specified Veracode application. Set to true to create a sandbox. Set to false to not create a sandbox.
criticalityStringOptional. Required if setting the createprofile parameter. The level of criticality of the scan: VeryHigh, High, Medium, Low, VeryLow
deleteincompletescan
Only available with the Veracode Java API wrapper.
IntegerAutomatically delete an incomplete scan based on its status to allow the uploadandscan action to continue processing. You can review the status of a scan in the wrapper logs.
To delete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role.

One of these values:
  • 0: do not delete an incomplete scan when running the uploadandscan action. The default. If set, you must delete an incomplete scan manually to proceed with the uploadandscan action.
  • 1: delete a scan with a status of incomplete, no modules defined, failed, or canceled to proceed with the uploadandscan action. If errors occur when running this action, the Java wrapper automatically deletes the incomplete scan.
  • 2: delete a scan of any status except Results Ready to proceed with the uploadandscan action. If errors occur when running this action, the Java wrapper automatically deletes the incomplete scan.
excludeStringCase-sensitive, comma-separated list of module name patterns that represent the names of modules to not scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character.
includeStringCase-sensitive, comma-separated list of module name patterns that represent the names of modules to scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character.
lifecyclestageStringOne of these lifecycle stage values: NotSpecified, InDevelopmentPreAlpha, InternalOrAlphaTesting, ExternalOrBetaTesting, DeployedInProductionAndActivelyDeveloped, MaintenanceOnlyBugFixes, CannotDisclose
patternStringCase-sensitive filename pattern that represents the names of uploaded files to save with a different name. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character. Each wildcard corresponds to a numbered group that you can reference in the replacement pattern.
replacementStringReplacement pattern that references groups captured by the filename pattern. For example, if the filename pattern is --SNAPSHOT.war and the replacement pattern is $1-master-SNAPSHOT.war, an uploaded file named app-branch-SNAPSHOT.war is saved as app-master-SNAPSHOT.war.
sandboxidIntegerID of the sandbox in which to run the scan.
sandboxnameStringName of the sandbox in which to run the scan.
scanallnonfataltoplevelmodulesBooleanIf there are no fatal errors in the selected modules, this parameter does not have any effect. When set to true, if there are fatal errors in some of the selected modules, this parameter removes the errors from the selected modules and continues the scan of the nonfatal selected modules. When set to false, if there are fatal errors in some of the selected modules, this parameter stops the scan.
scanpollinginterval
Only available with the Veracode Java API wrapper.
IntegerInterval, in seconds, to poll for the status of a running scan. Value range is 30 to 120 (two minutes). Default is 120.
scantimeoutIntegerNumber of minutes to wait for the scan to complete and pass policy. If the scan does not complete or fails policy, the build fails.
selectedBooleanSet to true to scan the modules currently selected in the Veracode Platform.
selectedpreviouslyBooleanSet to true to scan only the modules selected in the previous scan.
teamsStringComma-separated list of team names associated with the specified application. Validates against the names of existing teams for this account.
toplevelBooleanWhen set to true, Veracode only scans the top-level modules in your files.Veracode recommends that you include this parameter if you want to ensure the scan completes even though there are non-fatal errors, such as unsupported frameworks.

Example Commands

Veracode recommends that you use an external Veracode API credentials file to provide your credentials to the Veracode API wrapper. When you use a Veracode API credentials file, you can omit the -vid and -vkey parameters for specifying your Veracode API credentials.

These example commands demonstrate using the uploadandscan action with the Java API wrapper. For the C# API wrapper, replace java -jar vosp-api-wrapper-java<version>.jar with VeracodeC#API.

Run this command to create an application and start a development sandbox scan:

java -jar vosp-api-wrapper-java<version>.jar -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -filepath /workspace/myapp.jar

Run this command to create an application, start a development sandbox scan that only includes modules selected in the previous scan, and wait 30 minutes for the scan to complete:

java -jar vosp-api-wrapper-java<version>.jar -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -scantimeout 30 -selectedpreviously true -filepath /workspace/myapp.jar