About auto-packaging
Veracode auto-packaging automates the process of packaging your projects for Static Analysis and Software Composition Analysis (SCA) upload and scan. By automating packaging, you can reduce the burden on your teams to correctly package projects manually, while also ensuring more accurate and consistent scan results.
How auto-packaging helps developers
- Saves time and effort, compared to manual packaging, by eliminating manual steps, such as gathering files and dependencies, configuring build settings, and packaging artifacts.
- Ensures a consistent build process across different environments and platforms. This reduces the risk of discrepancies or errors that can occur when developers manually change the build configurations or there are variations across the configurations.
- Reduces human errors that can occur when developers package projects manually. This improves the accuracy and reliability of the generated artifacts, which ensures that the Static Analysis results are accurate.
- Enables scalability by facilitating the rapid and efficient generation of artifacts for analysis across multiple code repositories, projects, or teams. This scalability is essential for organizations managing large and complex codebases.
- Reduces the time and resources developers spend securing their code, which allows them to focus on writing new code, implementing features, or addressing critical issues. Developers can increase their productivity and accelerate the time-to-market for software products and updates.
How auto-packaging works
The auto-packager runs on your repository to package your projects into artifacts (archive files) that you can upload to the Veracode Platform. To correctly package a project for Static Analysis or SCA upload and scan, the auto-packager automatically detects the required components and configurations for each supported language.
Packaged artifacts
The auto-packager packages your projects into archive files, such as ZIP, JAR, WAR or EAR, called artifacts. During the packaging process, the auto-packager might create multiple artifacts that it includes in the final artifacts. For example, multiple DLL files inside the final ZIP file. The final artifacts are the complete, packaged archive files that you can upload to Veracode and scan separately.
The following table lists examples of the filename format of the final artifacts for each supported language.
Artifact language | Language tag | Language suffix tag | Example filename |
---|---|---|---|
.NET assemblies | dotnet | None | veracode-auto-pack-Web-dotnet.zip |
.NET with JavaScript | dotnet | js | veracode-auto-pack-Web-dotnet-js.zip |
Go | go | None | veracode-auto-pack-evil-app-go.zip |
iOS with Xarchive | ios | xcarchive | veracode-auto-pack-duckduckgo-ios-xcarchive.zip |
iOS with CocoaPods | ios | podfile | veracode-auto-pack-signal-ios-podfile.zip |
Java with Gradle | None | None | Defined by your gradle.build file. |
Java with Maven | None | None | Defined by your pom.xml file. |
JavaScript | js | None | veracode-auto-pack-NodeGoat-js.zip |
Kotlin | None | None | The filenames of Java artifacts are defined by your gradle.build file. |
PHP | php | None | veracode-auto-pack-captainhook-php.zip |
Python | python | None | veracode-auto-pack-dvsa-python.zip |
Ruby | ruby | None | veracode-auto-pack-railsgoat-ruby.zip |
Scala | None | None | The filenames of Java artifacts are defined by your SBT build properties. |
Account requirements
To use the auto-packager, you do not need a Veracode account.
Supported integrations
Auto-packaging is integrated with the following products:
- Veracode CLI to integrate auto-packaging in your development environment.
- Veracode GitHub Workflow Integration to automate repo scanning with GitHub Actions. The auto-packager only supports Java projects.
- Veracode Scan for VS Code to auto-package applications, scan, and remediate findings in your IDE.
Integrate auto-packaging
You can integrate the auto-packager with your local build environment or CI/CD. For example, to add auto-packaging to your build pipelines, you could add the CLI command veracode package
to your development toolchains or build scripts.
You might need to install one or more of the following tools in your environment:
- A build automation tool that defines build scripts or configurations that specify how to manage dependencies, compile source code, and package code as artifacts.
- A dependency management system to effectively handle project dependencies.
- A compiler that builds source code into executable code.
Supported languages
If the auto-packager does not support specific versions, or it relies on a version supported by your packager manager, the Versions column shows Not applicable
.
Language | Versions | Package managers |
---|---|---|
.NET | .NET 6, 7, or 8. Not supported: MAUI and .NET Framework | All |
Go | 1.14 - 1.22 | Go Modules |
iOS | Not applicable | All |
Java (select from the Package managers column) | A JDK version that you have tested to build your project. | Gradle, Maven |
JavaScript and TypeScript | Not applicable | NPM, Yarn |
Kotlin | A JDK version that you have tested to build your project. | Gradle, Maven |
PHP | Not applicable | Composer |
Python | Not applicable | Pip, Pipenv, setuptools, virtualenv |
Ruby on Rails | Ruby 2.4 or greater | Bundler |
Scala | A JDK version that you have tested to build your project. | Gradle, Maven, sbt |
About the examples
Under each supported language, the Veracode CLI commands and output examples demonstrate the packaging process when you run the veracode package
command. You can use the auto-packager with various integrations, but the CLI output examples help you visualize the packaging process. All examples assume the location of the CLI executable is in your PATH. You might see different output in your environment.
.NET
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- A supported version of .NET.
- PATH environment variable that points to the
dotnet
ormsbuild
command.
- Your projects must:
- Contain at least one syntactically correct
.csproj
file. - Compile successfully without errors.
- Contain at least one syntactically correct
Example
The auto-packager completes the following steps, as shown in the example command output.
- Recursively searches your repo for all
.csproj
submodules. - To publish the project, runs the following command:
dotnet publish -c Debug -p:UseAppHost=false -p:SatelliteResourceLanguages='en' -p:WasmEnableWebcil=false -p:BlazorEnableCompression=false
- Filters out any test projects.
- Packages the published project and saves the artifacts of your packaged project in the specified
--output
location.
veracode package --source path/to/project/bobs-used-bookstore-sample --output verascan --trust
Packager initiated...
Verifying source project language ...
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Data'. Publish successful.
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Web'. Publish successful.
Project Bookstore.Web zipped and saved to: path\to\verascan\veracode-auto-pack-Bookstore.Web-dotnet.zip
DotNet project Bookstore.Web JavaScript packaged to: path\to\verascan\veracode-auto-pack-Bookstore.Web-dotnet-js.zip
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Cdk'. Publish successful.
Project Bookstore.Cdk zipped and saved to: path\to\verascan\veracode-auto-pack-Bookstore.Cdk-dotnet.zip
Packaging DOTNET artifacts for DotNetPackager project 'Bookstore.Domain'. Publish successful.
Successfully created 3 artifact(s).
Created DotNet artifacts for DotNetPackager project.
Total time taken to complete command: 11.656s
Go
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have a supported version of Go.
- Your projects must:
- Support Go Modules.
- Contain a
go.sum
file and ago.mod
file. - Compile successfully without errors.
Example
The auto-packager completes the following steps, as shown in the example command output.
- To build and package a project, including the source code and the
vendor
folder, runs the commandgo mod vendor
. - Copies the artifacts of your packaged project to the specified
--output
location.
veracode package --source path/to/project/sftpgo --output verascan --trust
Packager initiated...
Verifying source project language ...
PPackaging GO artifacts for GoModulesPackager project 'ldapauthserver'. go mod vendor successful.
Go project ldapauthserver packaged to: path/to/verascan/veracode-auto-pack-ldapauthserver-go.zip
Packaging GO artifacts for GoModulesPackager project 'ldapauth'. go mod vendor successful.
Go project ldapauth packaged to: path/to/verascan/veracode-auto-pack-ldapauth-go.zip
Packaging GO artifacts for GoModulesPackager project 'eventsearcher'. go mod vendor successful.
Go project eventsearcher packaged to: path/to/verascan/veracode-auto-pack-eventsearcher-go.zip
Packaging GO artifacts for GoModulesPackager project 'sftpgo-main'. go mod vendor successful.
Go project sftpgo-main packaged to: path/to/verascan/veracode-auto-pack-sftpgo-main-go.zip
Packaging GO artifacts for GoModulesPackager project 'ipfilter'. go mod vendor successful.
Go project ipfilter packaged to: path/to/verascan//veracode-auto-pack-ipfilter-go.zip
Successfully created 5 artifact(s).
Created GoLang artifacts for GoModulesPackager project.
Total time taken to complete command: 22.776s
iOS
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- Xcode and the xcodebuild command-line tool installed.
- gen-ir installed. For example:
# Add the brew tap to your local machine
brew tap veracode/tap
# Install the tool
brew install gen-ir - pod installed, if your projects use CocoaPods or third party tools.
- Your projects must compile successfully without errors.
Example
The auto-packager completes the following steps, as shown in the example command output.
-
Checks that the
podfile
orpodfile.lock
files are present. -
Runs the command
pod install
. -
Checks that the
.xcworkspace
or.xcodeproj
files are present. -
To build and package the project, runs:
xcodebuild clean archive -PROJECT/WORKSPACE filePath -scheme SRCCLR_IOS_SCHEME -destination SRCCLR_IOS_DESTINATION -configuration SRCCLR_IOS_CONFIGURATION -archivePath projectName.xcarchive DEBUG_INFORMATION_FORMAT=dwarf-with-dsym ENABLE_BITCODE=NO
The
SRCCLR
values are optional environment variables you can use to customize thexcodebuild archive
command. -
Runs
gen-ir
on the artifact of your packaged project and the log files. -
Saves the artifact in the specified
--output
location.
veracode package --source https://github.com/signalapp/Signal-iOS --type repo --output verascan --trust
Packager initiated...
Verifying source project language ...
Packaging iOS artifacts for IOSPackager project 'MyProject'.
iOS Project MyProject zipped and saved to: path/to/verascan/veracode-auto-pack-MyProject-ios-xcarchive.zip
Successfully created 1 artifact(s).
Created IOS artifacts for IOSPackager project.
Total time taken to complete command: 9.001s
Java with Gradle
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- A JDK version that you tested to successfully compile your application.
- Access to a
gradlew
command that points to the correctJAVA_HOME
directory. Ifgradlew
is not available, ensure the correct Gradle version is installed.
- Your projects must:
- Have the correct
build.gradle
file. - Compile successfully without errors.
- Have the correct
Example
The auto-packager completes the following steps, as shown in the example command output.
- To build the Gradle project and package it as a JAR file, runs the command
gradlew clean build -x test
. - Copies the artifact of your packaged project to the specified
--output
location.
veracode package --source path/to/project/example-java-gradle --output verascan --trust
Packager initiated...
Verifying source project language ...
Copying Java artifacts for GradlePackager project.
Copied artifact: path/to/verascan/example-java-gradle-1.0-SNAPSHOT.jar.
Successfully created 1 artifact(s).
Created Java artifacts for GradlePackager project.
Total time taken to complete command: 7.174s
Java with Maven
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- A JDK version that you tested to successfully compile your application.
- Access to a
mvn
command that points to the correctJAVA_HOME
directory.
- Your projects must:
- Have the correct
pom.xml
file. - Compile successfully without errors.
- Have the correct
Example
The auto-packager completes the following steps, as shown in the example command output.
- To build and package the Maven project, runs the command
mvn clean package
. - Copies the artifact, such as JAR, WAR, EAR, of your packaged project to the specified
--output
location.
veracode package --source path/to/project/example-java-maven --output verascan --trust
Packager initiated...
Verifying source project language ...
Copying Java artifacts for Maven project.
Copied artifact: path/to/verascan/example-java-maven-1.0-SNAPSHOT.jar.
Successfully created 1 artifact(s).
Created Java artifacts for Maven project.
Total time taken to complete command: 6.799s
JavaScript and TypeScript
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- The NPM or Yarn package manager installed.
- The correct Node, NPM, or Yarn version to package the project.
- Your projects must:
- Be able to resolve all dependencies with commands
npm install
oryarn install
. - Have the correct
package.json
file. - Compile successfully without errors.
- Be able to resolve all dependencies with commands
Example
The auto-packager completes the following steps, as shown in the example command output.
- To build and package the project, runs one of the following commands:
- For NPM, runs the command
npm install
. - For Yarn, runs the command
yarn install
.
- For NPM, runs the command
- Copies the artifact of your packaged project to the specified
--output
location.
veracode package --source path/to/project/example-javascript --output verascan --trust
Packager initiated...
Verifying source project language ...
Packaging Javascript artifacts for NPM project.
Project example-javascript packaged to path/to/veracsan/veracode-auto-pack-example-javascript-js.zip.
Successfully created 1 artifact(s).
Created Javascript artifacts for NPM project.
Total time taken to complete command: 3.296s
Kotlin
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- The correct Kotlin version for your projects.
- The Maven or Gradle package manager installed.
- A Java version that your packager manager requires.
- Your projects must:
- Have the correct
pom.xml
,build.gradle
, orbuild.gradle.kts
file. - Compile successfully without errors.
- Have the correct
Example
The auto-packager completes the steps shown in the following example command output.
- Verifies that your project language is supported.
- Uses Gradle to builds and packages the project.
- Copies the artifacts of your packaged project to the specified
--output
location.
veracode package --source path/to/project/kotlin-server-side-sample/gradle --output verascan --trust
Packager initiated...
Verifying source project language ...
Copying Java artifacts for GradlePackager project.
Copied artifact: path/to/verascan/demo-0.0.1-SNAPSHOT-plain.jar.
Copied artifact: path/to/verascan/demo-0.0.1-SNAPSHOT.jar.
Successfully created 2 artifact(s).
Created Java artifacts for GradlePackager project.
Total time taken to complete command: 8.632s
PHP
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- Correct PHP version for your projects.
- Composer dependency manager installed.
- Your projects must:
- Have the correct PHP
composer.json
file. - Compile successfully without errors.
- Have the correct PHP
Example
The auto-packager completes the following steps, as shown in the example command output.
- To build and package the project source code and lock file with Composer, runs the command
composer install
. - Saves the artifacts of your packaged project in the specified
--output
location.
veracode package --source path/to/project/example-php --output verascan --trust
Packager initiated...
Validating output path ...
Packaging PHP artifacts for Composer project.
Project captainhook zipped and saved to path/to/verascan/veracode-auto-pack-captainhook-php.zip.
Packaging PHP artifacts for Composer project.
Project template-integration zipped and saved to path/to/verascan/veracode-auto-pack-template-integration-php.zip.
Successfully created 2 artifact(s).
Created PHP artifacts for Composer project.
Total time taken to complete command: 3.62s
Python
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- The correct pip and Python or pyenv version for packaging your project are installed.
- A package manager configuration file with the required settings to resolve all dependencies.
- Your projects must compile successfully without errors.
Example
The auto-packager completes the following steps, as shown in the example command output.
- To resolve all third party dependencies and generate the lock file, PIP install, runs the command
pip install -r requirements.txt
. - Packages the project source code, lock file, and
vendor
folder. - Saves the artifact of your packaged project to the specified
--output
location.
veracode package --source path/to/project/example-python --output verascan --trust
Packager initiated...
Verifying source project language ...
Packaging Python artifacts for PIP project.
Project example-python zipped and saved to path/to/verascan/veracode-auto-pack-example-python-python.zip.
Successfully created 1 artifact(s).
Created Python artifacts for PIP project.
Total time taken to complete command: 14.359s
Ruby on Rails
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- The Bundler package manager installed with the correct Ruby version.
- The Veracode packager gemfile installed. This gemfile handles pre-processing of Rails projects for Static Analysis.
- The ability to run the command
bundle install
- Your projects must compile successfully without errors.
Optionally, to test your configured environment, run the command rails server
.
Example
The auto-packager completes the following steps, as shown in the example command output.
- To configure the
vendor
path, runs the commandbundle config --local path vendor
. - Runs the command
bundle install
withoutdevelopment
andtest
:bundle install --without development test
. - To check for the Rails installation, runs the command
bundle info rails
. If Rails is not installed, the auto-packager assumes it is not a Rails project and exits. - To install the Veracode packager gem, runs the command
bundle add veracode
. - To package your project using the Veracode packager gem, runs the command
bundle exec veracode
. - Saves the artifact of your packaged project to the specified
--output
location.
veracode package --source path/to/project/rails --output verascan --trust
Packager initialized...
Verifying source project language ...
Packaging Ruby artifacts for RubyPackager project 'veracode-rails-20240321225855.zip'.
ArtifactPath: /rails/tmp/veracode-rails-20240321225855.zip
ValidatedSource: /rails
ValidatedOutput: /rails/verascan
Project name: rails
44824469 bytes written to destination file. Path: /rails/verascan/rails.zip
temporary zip file deleted. Path: /rails/tmp/veracode-rails-20240321225855.zip
Successfully created 1 artifact(s).
Created Ruby artifacts for RubyPackager project.
Total time taken to complete command: 1m27.428s
Scala
Requirements
Before you can run the auto-packager, you must meet the following requirements:
- Your environment must have:
- A JDK version that you have tested to successfully package your application.
- The Maven, Gradle, or sbt package manager installed with the correct Java version.
- Your projects must:
- Have the correct
pom.xml
,build.gradle
, orbuild.sbt
file. - Compile successfully without errors.
- Have the correct
Example
The auto-packager completes the following steps, as shown in the example command output.
- Runs the sbt assembly command
sbt clean assembly
. This command assists in creating a JAR file with dependencies in non-Spring projects, which improves SCA scanning. - If sbt assembly fails, runs the sbt package command
sbt clean package
. - Copies the artifacts of your packaged application to the specified
--output
location.
veracode package --source path/to/project/packSample/zio-quill --output verascan --trust
Packager initiated...
Verifying source project language ...
Copying Java artifacts for SbtPackager project.
Copied artifact: path/to/verascan/quill-cassandra_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-pekko_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-cassandra-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen-jdbc_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-codegen-tests_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-core_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-doobie_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-engine_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-h2_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-mysql_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-oracle_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-postgres_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-sqlite_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-test-sqlserver_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-jdbc-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-monix_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-orientdb_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-spark_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-sql_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-sql-test_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-util_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill-zio_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/quill_2.13-4.8.2+3-d2965801-SNAPSHOT.jar.
Copied artifact: path/to/verascan/zio-quill-docs_2.12-4.8.2+3-d2965801-SNAPSHOT.jar.
Successfully created 28 artifact(s).
Created Java artifacts for SbtPackager project.
Total time taken to complete command: 45.428s