Skip to main content

AWS CodeStar

You can use Veracode for AWS CodeStar to seamlessly integrate Veracode Static Analysis and Veracode Software Composition Analysis (SCA) agent-based scans with your Amazon Web Services (AWS) pipelines.

This table describes the workflows for integrating the supported scan types:

Scan TypeIntegration Workflow
Veracode Static AnalysisThe general workflow for integrating static analysis, using a policy or development sandbox, into your AWS pipeline:
  1. Configure a new or existing CodeBuild project that includes the Java API wrapper Docker image.
  2. Configure the CodeBuild project to include your Veracode API credentials and the command for calling the Java API wrapper.
  3. Add the CodeBuild project to a stage in your pipeline that runs after the stage that builds your application. The API commands upload the build output from the application build stage to Veracode for analysis.
Veracode Software Composition AnalysisThe general workflow for integrating SCA into your AWS pipeline:
  1. Configure a new or existing CodeBuild project that includes a Docker image for including SCA.
  2. Configure the CodeBuild project to include your Agent-Based Scanning API token, environment variables for accessing your source code management (SCM) system, and the command for installing agent-based scanning for performing SCA.
  3. Add the CodeBuild project to a stage in your pipeline that runs after the stage that builds your application. Agent-based scanning performs SCA on the build output from the application build stage.

Simple AWS pipeline stage example

You could create an AWS pipeline with two build stages to add Veracode security scanning:

  • Build stage: builds the application you want to analyze.
  • Security stage: receives the build output from the Build stage. The Security stage could include two actions for both the static analysis and SCA build projects:
    • An action that uses the Java API wrapper to upload the build output to Veracode for static analysis.
    • An action that uses agent-based scanning to perform SCA on the build output.