Configure an AWS CodeBuild Project for Veracode Static Analysis

Build and Release Management

You configure a new or existing build project in AWS CodeBuild that includes the Veracode Java API wrapper, your Veracode API credentials, and the Veracode API commands to call for performing static analysis. You add the build project to a pipeline stage in CodePipeline for analyzing the build output from your application build stage.

Before You Begin

Overview

This procedure applies to both new and existing build projects. For a new project, you complete each section on the Create build project page, then click Create build project to save the configuration and build the project. For an existing project, you edit each pre-configured section on a separate page, then click Update after completing your edits.

Steps

  1. In AWS, create or edit a build project to use for static analysis.

  2. In the build project, configure the Project configuration and Source sections for your development environment.

  3. In the Environment section, under Environment image, reference the Veracode Java API wrapper Docker image.

  4. Expand Additional configuration.

  5. In the Environment variables section, add environment variables for the API ID and API key for your Veracode API credentials.

    For example, you could enter a VID variable for the API ID and a VKEY variable for the API key. The values specify the location of the actual API ID and API key. If your credentials are stored in the AWS System Manager Parameter Store, select the Parameter type for both variables. If your credentials are stored in AWS Secrets Manager, set the type to Secrets Manager.

  6. In the Buildspec section, enter the Java API wrapper commands. For example:

    java -jar /opt/veracode/api-wrapper.jar -action uploadandscan -vid $VID -vkey $VKEY -appname verademo-java -createprofile false -version $(date +%Y-%m-%d-%H:%M) -filepath target/verademo.war -sandboxname aws-codebuild -createsandbox true
    
    This example command references the API wrapper JAR file, which is contained in a veracode directory in the Docker image, and calls the uploadandscan call in a development sandbox. The values for the -vid and -vkey parameters are the VID and VKEY environment variable names defined in the Environment variables section.

    Note: To ensure your Veracode API credentials are stored securely, Veracode recommends that you do not store them in the build specification as plain text.

  7. Optionally, in the Logs section, select to upload the build logs to CloudWatch or S3. The logs include build output for the API wrapper, which you can view in the build history for troubleshooting purposes.

  8. Build your project to ensure it is configured correctly.

  9. Review the build log and resolve any build errors.

Next Steps

Add this build project to a new or existing stage in a new or existing pipeline. In the pipeline, the stage to which you add this build project must run after the stage that builds your application.