You can add the Pipeline Scan to a job in your development pipeline. You can use the provided code examples as templates for adding the Pipeline Scan as a stage in a pipeline job and configure the command parameters to achieve the desired scan results.
Before You Begin
Before running a Pipeline Scan, ensure you meet the prerequisites.
If you want to run a Pipeline Scan, try different commands, debug, or review scan results outside of a pipeline, you can Run a Pipeline Scan from the Command Line.
You can also run and manage scans using the Pipeline Scan API.
A Veracode account is limited to six Pipeline Scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.
In your development pipeline, add or edit a job for the Pipeline Scan that runs after the stage for building your application.
Add the code for your CI/CD code repository to the Pipeline Scan stage.
For additional code examples or to ask questions, visit the Veracode Community.
In the Pipeline Scan job, include either the
pipeline-scan.jarfile you extracted from pipeline-scan-LATEST.zip or the Docker image.
Veracode recommends that you set the job to download
pipeline-scan-LATEST.zipor get the latest Docker image, each time the job runs, to ensure that you are using the latest version of the Pipeline Scan. Alternatively, you can cache
pipeline-scan-LATEST.ziplocally on your CI system and download it at regular intervals. The code examples include a step for downloading and extracting the latest version of the Pipeline Scan ZIP archive.
Edit the Pipeline Scan job to include the command parameters that meet the security-scanning requirements for your application.
The example configuration scenarios provide common configurations for specifying fail-build criteria, such as failing the pipeline on specific flaw severities or CWEs.
Run the pipeline to run the Pipeline Scan job.
The scan results provide a list of discovered flaws, if any, and a status code. If the Pipeline Scan finds any flaws, it returns the status code
>=1, or greater than or equal to 1, to indicate the number of flaws found and fails the pipeline job.
The Pipeline Scan saves the scan results to a build artifact, which is a JSON file named
results.json. You can rename the JSON file and you can also use it as a baseline file to set a baseline of discovered flaws for the scanned application.
- If you set a baseline file, store it in version control at the same level as the scanned application. Any changes to a baseline file can affect your security strategy. It is important that you version this file to ensure it contains the required baseline of findings for the given application. If necessary, you can revert to a previous version of the file.
- Review the scan results with your team to determine a mitigation plan for addressing the discovered flaws.