Configure an AWS CodeBuild Project for Veracode Static Analysis
You configure a new or existing build project in AWS CodeBuild that includes the Veracode Java API wrapper, your Veracode API credentials, and the Veracode API commands to call for performing static analysis. You add the build project to a pipeline stage in CodePipeline for analyzing the build output from your application build stage.
This procedure applies to both new and existing build projects. For a new project, you complete each section on the Create build project page, then click Create build project to save the configuration and build the project. For an existing project, you edit each pre-configured section on a separate page, then click Update after completing your edits.
Before you begin:
- You have generated Veracode API credentials.
- Your Veracode API credentials are stored securely using AWS System Manager Parameter Store or the AWS Secrets Manager.
- If you are performing static analysis using a Veracode development sandbox, you have configured the sandbox you want to use.
- You have compiled and packaged your application source files according to the Veracode Packaging Requirements.
- You have access to the Veracode Java API wrapper Docker image.
To complete this task:
In AWS, create or edit a build project to use for static analysis.
In the build project, configure the Project configuration and Source sections for your development environment.
In the Environment section, under Environment image, reference the Veracode Java API wrapper Docker image.
Expand Additional configuration.
In the Environment variables section, add environment variables for the API ID and API key for your Veracode API credentials.
For example, you could enter a
VIDvariable for the API ID and a
VKEYvariable for the API key. The values specify the location of the actual API ID and API key. If your credentials are stored in the AWS System Manager Parameter Store, select the Parameter type for both variables. If your credentials are stored in AWS Secrets Manager, set the type to Secrets Manager.
In the Buildspec section, enter the Java API wrapper commands. For example:
java -jar /opt/veracode/api-wrapper.jar -action uploadandscan -vid $VID -vkey $VKEY -appname verademo-java -createprofile false -version $(date +%Y-%m-%d-%H:%M) -filepath target/verademo.war -sandboxname aws-codebuild -createsandbox true
This example command references the API wrapper JAR file, which is contained in a
veracodedirectory in the Docker image, and calls the uploadandscan call in a development sandbox. The values for the
-vkeyparameters are the
VKEYenvironment variable names defined in the Environment variables section.note
To ensure your Veracode API credentials are stored securely, Veracode recommends that you do not store them in the build specification as plain text.
Optionally, in the Logs section, select to upload the build logs to CloudWatch or S3. The logs include build output for the API wrapper, which you can view in the build history for troubleshooting purposes.
Build your project to ensure it is configured correctly.
Review the build log and resolve any build errors.
Add this build project to a new or existing stage in a new or existing pipeline. In the pipeline, the stage to which you add this build project must run after the stage that builds your application.