Integrate Static Analysis in your CI/CD with the Veracode CLI

You can integrate the Veracode CLI with your CI/CD pipelines to identify security flaws as part of the software development process.

You add a job to your pipeline that runs the static scan command. This command causes the job to fail if the analysis finds flaws that match your specified criteria.

Getting started

Locate a project you want to scan and ensure it meets the packaging requirements. If you do not have a project to scan,
Veracode provides the demo applications VeraDemoDotNet and VeraDemo on GitHub that you can use for testing purposes.

To get started using static analysis scanning in a pipeline, follow these steps:

1. Get API credentials

Before using the following examples, the Veracode CLI requires you to have working Veracode API credentials. After generating credentials, you must configure them with the CLI. The examples below use environment variables, but you can use a configuration file as well. Veracode recommends that you store the credentials as secrets or masked variables depending on your CI/CD platform.

2. Build your code

Before scanning, you have to build and package your code. See the packaging requirements to determine the necessary steps. Then, in your pipeline, add a stage for the build process and pass the build artifacts to the scan job.

3. Scan your code

Before you can run a scan, you must install the CLI using this command:

curl -fsS https://tools.veracode.com/veracode-cli/install | sh

Then run a scan:

./veracode static scan <source>

This scan causes the job to fail if any flaws are found. The flaws that fail the job can be refined using flags. See the static scan page for information on how to use them.

Examples

The following examples show how to set up a static analysis scan job for common CI/CD platforms:

Azure DevOps

trigger:
  - main
pool:
  vmImage: "ubuntu-latest"
steps:
  - task: 
    # build here
  - task: CmdLine@2
    displayName: Veracode static scan
    inputs:
      script: |
        curl -fsS https://tools.veracode.com/veracode-cli/install | sh
        ./veracode static scan verademo.war
    env: 
      VERACODE_API_KEY_ID: $(myVeracodeId)
      VERACODE_API_KEY_SECRET: $(myVeracodeSecret)

GitHub

name: static-scan
on: push
jobs:
  build:
    # build here
  static-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Download Veracode CLI
        uses: wei/curl@master
        with:
          args: -fsS https://tools.veracode.com/veracode-cli/install | sh
      - name: Run a static scan
        run: ./veracode static scan verademo.war
        env:
          VERACODE_API_KEY_ID: ${{ secrets.myVeracodeId }}
          VERACODE_API_KEY_SECRET: ${{ secrets.myVeracodeSecret }}

GitLab

image: ubuntu-latest
stages:
  - build
  - scan
build_job:
  # build here
static_scan:
  stage: scan
  dependencies:
    - build_job
  script:
    - curl -fsS https://tools.veracode.com/veracode-cli/install | sh
    - ./veracode static scan verademo.war
  variables:
    VERACODE_API_KEY_ID: ${myVeracodeId}
    VERACODE_API_KEY_SECRET: ${myVeracodeSecret}

Jenkins

pipeline {
  agent { label <'ubuntu-latest'> }
  environment {
    VERACODE_API_KEY_ID = '${myVeracodeId}'
    VERACODE_API_KEY_SECRET = '${myVeracodeSecret}'
  }
  stages {
    stage('Build') {
      // build here
    }
    stage('Veracode static scan') {
      steps {
        sh 'curl -fsS https://tools.veracode.com/veracode-cli/install | sh'
        sh './veracode static scan verademo.war'
      }
    }
  }
}

Getting started​

1. Get API credentials​

2. Build your code​

3. Scan your code​

Examples​

Azure DevOps​

GitHub​

GitLab​

Jenkins​