Integrate Static Analysis in your CI/CD with the Veracode CLI
You can integrate the Veracode CLI with your CI/CD pipelines to identify security flaws as part of the software development process.
You add a job to your pipeline that runs the static scan
command. This
command causes the job to fail if the analysis finds flaws that match your specified criteria.
Getting started
Locate a project you want to scan and ensure it meets the packaging requirements. If you do not have a project to scan,
Veracode provides the demo applications VeraDemoDotNet
and VeraDemo on GitHub that you can use for testing purposes.
To get started using static analysis scanning in a pipeline, follow these steps:
1. Get API credentials
Before using the following examples, the Veracode CLI requires you to have working Veracode API credentials. After generating credentials, you must configure them with the CLI. The examples below use environment variables, but you can use a configuration file as well. Veracode recommends that you store the credentials as secrets or masked variables depending on your CI/CD platform.
2. Build your code
Before scanning, you have to build and package your code. See the packaging requirements to determine the necessary steps. Then, in your pipeline, add a stage for the build process and pass the build artifacts to the scan job.
3. Scan your code
Before you can run a scan, you must install the CLI using this command:
curl -fsS https://tools.veracode.com/veracode-cli/install | sh
Then run a scan:
./veracode static scan <source>
This scan causes the job to fail if any flaws are found. The flaws that fail the job can be refined using flags. See the static scan
page for information on how to use them.
Examples
The following examples show how to set up a static analysis scan job for common CI/CD platforms:
Azure DevOps
trigger:
- main
pool:
vmImage: "ubuntu-latest"
steps:
- task:
# build here
- task: CmdLine@2
displayName: Veracode static scan
inputs:
script: |
curl -fsS https://tools.veracode.com/veracode-cli/install | sh
./veracode static scan verademo.war
env:
VERACODE_API_KEY_ID: $(myVeracodeId)
VERACODE_API_KEY_SECRET: $(myVeracodeSecret)
GitHub
name: static-scan
on: push
jobs:
build:
# build here
static-scan:
runs-on: ubuntu-latest
steps:
- name: Download Veracode CLI
uses: wei/curl@master
with:
args: -fsS https://tools.veracode.com/veracode-cli/install | sh
- name: Run a static scan
run: ./veracode static scan verademo.war
env:
VERACODE_API_KEY_ID: ${{ secrets.myVeracodeId }}
VERACODE_API_KEY_SECRET: ${{ secrets.myVeracodeSecret }}
GitLab
image: ubuntu-latest
stages:
- build
- scan
build_job:
# build here
static_scan:
stage: scan
dependencies:
- build_job
script:
- curl -fsS https://tools.veracode.com/veracode-cli/install | sh
- ./veracode static scan verademo.war
variables:
VERACODE_API_KEY_ID: ${myVeracodeId}
VERACODE_API_KEY_SECRET: ${myVeracodeSecret}
Jenkins
pipeline {
agent { label <'ubuntu-latest'> }
environment {
VERACODE_API_KEY_ID = '${myVeracodeId}'
VERACODE_API_KEY_SECRET = '${myVeracodeSecret}'
}
stages {
stage('Build') {
// build here
}
stage('Veracode static scan') {
steps {
sh 'curl -fsS https://tools.veracode.com/veracode-cli/install | sh'
sh './veracode static scan verademo.war'
}
}
}
}