Pipeline Scan Example for Using GitLab and Gradle with Automatic Vulnerability Generation

Pipeline Scan

This example YAML code shows how to add a Pipeline Scan and automatic vulnerability generation as a build stage in a GitLab build pipeline using Gradle. Automatic vulnerability generation requires a GitLab Gold or Ultimate license.

Note: Before you can use the --gl_issue_generation parameter in a Pipeline Scan, you must create a GitLab access token. If you want to use this parameter when scanning Java applications, you must also configure environment variables to set GitLab base directories. You can use any GitLab subscription to generate GitLab issues.

This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.

# image must have JDK8+, gradle, curl, unzip
image: <image-with-above-requirements>

stages:
  - build
  - scan

build_job:
  stage: build
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
    paths:
      - build/
    expire_in: 1 week
  script: gradle clean build

pipeline scan:
  stage: scan
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
    paths:
      - results.json
      - veracode_gitlab_vulnerabilities.json
    reports:
      sast: veracode_gitlab_vulnerabilities.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
    - java -jar pipeline-scan.jar
      --veracode_api_id "${VERACODE_API_ID}"
      --veracode_api_key "${VERACODE_API_SECRET}"
      --file "build/libs/sample.jar"
      --fail_on_severity="Very High, High"
      --fail_on_cwe="80"
      --baseline_file "${CI_BASELINE_PATH}"
      --timeout "${CI_TIMEOUT}"
      --project_name "${CI_PROJECT_PATH}"
      --project_url "${CI_REPOSITORY_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --gl_vulnerability_generation true