Add a Jenkins Build Job for Static Analysis

Build and Release Management

You can configure a Jenkins build job in a freestyle or pipeline project for uploading binaries to Veracode for Static Analysis. You continue to use your same build process, but you add a post-build action for the Veracode parameters.

Before You Begin

Note: The Veracode Jenkins Plugin only supports freestyle and pipeline projects.

Steps

  1. In the Jenkins left menu, click New Item.

  2. In the Enter an Item name field, enter a name for this new scan that you want to submit to Veracode.

  3. Select one of these options:

    • If you want to create a new project using the standard projects types provided by Jenkins, select one of the available project types listed.
    • If you want to create a new project based on an existing project, in the Copy from input box, enter the name of an existing project you want to use as the model when you create the new item.
  4. Click OK.

  5. Click Advanced... to expand the Advanced Project Options.

  6. In the Post-build Actions section, from the Add post-build action dropdown menu, select Upload and Scan with Veracode.

  7. In the Application Name field, enter the name of the application you want Veracode to scan.

    To use the Jenkins project name as the application name, enter $projectname.

  8. If the application does not already exist in the Veracode Platform, but is a new application you want Jenkins to create, select the Create Application checkbox.

    Note: If you select this option, you must also provide the name of the team that is associated with the application.

  9. From the Business Criticality dropdown menu, select the level of criticality of this application.

  10. In the Sandbox Name field, enter the name of the sandbox in which you want to run the scan as a sandbox scan.

  11. If the sandbox does not already exist in the Veracode Platform, but is a new sandbox you want Jenkins to create, select the Create Sandbox checkbox.

  12. In the Scan Name field, enter a name for the static scan you want to submit to the Veracode Platform for this application.

    To use the Jenkins project build number as the scan name, enter $buildnumber. To use the date and time of the Jenkins build job submission as the scan name, enter $timestamp.

  13. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan.

    Use a comma-separated list of ant-style include patterns relative to the job workspace project name. The project name is the one you entered in the Project name field. For a description of the ant-style pattern format, see https://ant.apache.org/manual/dirtasks.html.

    Note: Variable names are not accepted in the Upload field.

  14. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules.

    Use a comma-separated list of ant-style include patterns with just the filenames of the files you have uploaded, not the filepaths.

    Note: Variable names are not accepted in the Scan field.

  15. You can rename the files you are uploading by entering the filename pattern of the uploaded files that you want to rename and clicking Save As. You must also enter the replacement filename pattern that represents the groups that the filename pattern captured.

  16. Select the Wait for scan to complete checkbox if you want the Jenkins job to wait for the Veracode scan to complete.

    Enter the maximum time in minutes that you want the Jenkins job to wait before skipping the Upload and Scan with Veracode action. Allow enough time for a typical scan of your application to complete. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.

  17. If you provided Veracode credentials on the Manage Jenkins page and want to use them for this project, select the Use global Veracode API ID and key checkbox.

  18. In the Veracode Credentials section, enter your Veracode API credentials.

    If you have bound your Veracode API credentials, you can enter the environment variables for the API ID and key.

  19. Click Apply and Save.

  20. Go to the Jenkins project and click Build Now from the left menu.

Next Steps

You can monitor the progress of the Veracode job by selecting the build in the Jenkins left and clicking Console Output.