Run a Pipeline Scan from the Command Line

Getting Started with Veracode

You can run a few Pipeline Scan commands at a local console, outside of a development pipeline, to get started with running a scan and viewing scan results without the need for a test or production pipeline. You can also use the command line for debugging.

Before running a Pipeline Scan, ensure you meet the prerequisites.

This is an optional procedure that steps you through running a few Pipeline Scan commands from the command line using different command parameters for generating scan results, creating a custom baseline file, and running a Pipeline Scan against that baseline file.

If you want to add a Pipeline Scan to your development pipeline, you can skip this procedure and go to Run a Pipeline Scan in a Pipeline. You can also run and manage scans using the Pipeline Scan API.

A Veracode account is limited to six Pipeline Scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

The example Java application is a WAR file named verademo.war, which you can download from the Veracode GitHub repository. You can also use any application that meets the language and packaging requirements.

To run a Pipeline Scan from the command line:

  1. Obtain the Pipeline Scan files.
  2. Run this command to view all scan results for an application:
    java -jar pipeline-scan.jar --file verademo.war
    Each scan returns a status code.
  3. Run this command to include additional details about each finding in the scan results:
    java -jar pipeline-scan.jar --file verademo.war -id true
  4. Run this command to save the scan results to a JSON file with a custom filename:
    java -jar pipeline-scan.jar --file verademo.war -jf verademo_results.json
    By default, Pipeline Scan saves the scan results to a results.json file in the local directory. This file is also called an artifact.
    Note: Each Pipeline Scan command overwrites the default results.json file with the latest results. By giving your JSON file a unique filename you can prevent subsequent scans from overwriting your saved scan results.
    The JSON file contains detailed information about each flaw in key-value pair. This example shows a single finding in a JSON file.
  5. Run this command to set your custom JSON file as the baseline file of known findings for this application:
    java -jar pipeline-scan.jar --file verademo.war -bf verademo_results.json
  • If you set a baseline file, store it in version control at the same level as the scanned application. Any changes to a baseline file can affect your security strategy. It is important that you version this file to ensure it contains the required baseline of findings for the given application. If necessary, you can revert to a previous version of the file.
  • Review the scan results with your team to determine a mitigation plan for addressing the discovered flaws.