Integrate Static Analysis with the CLI

You can integrate the Veracode CLI with your CI/CD pipelines to identify security flaws as part of the software development process.

You add a job to your pipeline that runs the static scan command. This command causes the job to fail if the analysis finds flaws that match your specified criteria.

Getting started

Locate a project you want to scan and ensure it meets the packaging requirements. If you do not have a project to scan,
Veracode provides the demo applications VeraDemoDotNet and VeraDemo on GitHub that you can use for testing purposes.

To get started using static analysis scanning in a pipeline, follow these steps:

1. Get API credentials

Before using the following examples, the Veracode CLI requires you to have working API credentials. After generating credentials, you must configure them with the CLI. The examples below use environment variables, but you can use a configuration file as well. Veracode recommends that you store the credentials as secrets or masked variables depending on your CI/CD platform.

2. Build your code

Before you can scan, you must build and package your code. See the packaging requirements to determine the necessary steps. Then, in your pipeline, add a stage for the build process and pass the build artifacts to the scan job.

3. Scan your code

Before you can run a scan, you must install the Veracode CLI.

Then run a scan:

./veracode static scan <source> [flags]

You use flags to configure the scan. For example, you can add a flag to fail the job when the scan finds flaws. For the list of flags, see the static scan command.

Examples

The following examples show how to set up a static analysis scan job for common CI/CD platforms:

Azure DevOps

trigger:
  - main
pool:
  vmImage: "ubuntu-latest"
steps:
  - task: 
    # build here
  - task: CmdLine@2
    displayName: Veracode static scan
    inputs:
      script: |
        curl -fsS https://tools.veracode.com/veracode-cli/install | sh
        ./veracode static scan verademo.war
    env: 
      VERACODE_API_KEY_ID: $(myVeracodeId)
      VERACODE_API_KEY_SECRET: $(myVeracodeSecret)

GitHub

name: static-scan
on: push
jobs:
  build:
    # build here
  static-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Download Veracode CLI
        uses: wei/curl@master
        with:
          args: -fsS https://tools.veracode.com/veracode-cli/install | sh
      - name: Run a static scan
        run: ./veracode static scan verademo.war
        env:
          VERACODE_API_KEY_ID: ${{ secrets.myVeracodeId }}
          VERACODE_API_KEY_SECRET: ${{ secrets.myVeracodeSecret }}

GitLab

image: ubuntu-latest
stages:
  - build
  - scan
build_job:
  # build here
static_scan:
  stage: scan
  dependencies:
    - build_job
  script:
    - curl -fsS https://tools.veracode.com/veracode-cli/install | sh
    - ./veracode static scan verademo.war
  variables:
    VERACODE_API_KEY_ID: ${myVeracodeId}
    VERACODE_API_KEY_SECRET: ${myVeracodeSecret}

Jenkins

pipeline {
  agent { label <'ubuntu-latest'> }
  environment {
    VERACODE_API_KEY_ID = '${myVeracodeId}'
    VERACODE_API_KEY_SECRET = '${myVeracodeSecret}'
  }
  stages {
    stage('Build') {
      // build here
    }
    stage('Veracode static scan') {
      steps {
        sh 'curl -fsS https://tools.veracode.com/veracode-cli/install | sh'
        sh './veracode static scan verademo.war'
      }
    }
  }
}

Configure GitLab to generate issues

To use the --gl-issue-generation flag with the veracode static scan command to automatically generate issues in GitLab from discovered flaws, you must create a GitLab access token. For Java applications, you must also add environment variables in GitLab for the base directories.

Create an access token

To enable the Veracode CLI to generate GitLab issues from discovered flaws, create a GitLab access token and add it as an environment variable in your GitLab project.

To complete this task:

Select Edit Profile > Access Tokens > Create personal access token.
Ensure that the token has a scope of api. See the GitLab documentation.
Select Settings > CI/CD > Variables and store the token you created as an environment variable named PRIVATE_TOKEN.

Add environment variables for Java applications

To use the --gl-issue-generation flag to generate issues for Java applications, add environment variables for the GitLab base directories.

To complete this task:

In GitLab, go to your project and select Settings > CI/CD > Variables.
Add the following environment variables:
- SRC_ROOT: the filepath typically is /src/main/java/.
- JSP_ROOT: the filepath typically is /src/main/webapp/.

Add a `GITLAB_URL` variable for custom domains

To use the --gl-issue-generation flag with a custom domain, in your project, add a GITLAB_URL CI/CD variable for the base URL. For example:

GITLAB_URL=https://{CUSTOM_URL}/api/v4/projects/

The default value is https://gitlab.com/api/v4/projects/

Getting started​

1. Get API credentials​

2. Build your code​

3. Scan your code​

Examples​

Azure DevOps​

GitHub​

GitLab​

Jenkins​

Configure GitLab to generate issues​

Create an access token​

Add environment variables for Java applications​

Add a GITLAB_URL variable for custom domains​

Did you find this helpful?