Pipeline Scan Command Parameters

Pipeline Scan

You use command-line parameters to provide information to the Pipeline Scan.

Use the Pipeline Scan command line to either:

  • Download a custom policy to your working directory using the --request_policy <custom policy name> parameter. The only result is that you download the requested policy. No scanning occurs.

    Veracode recommends that you do not download a policy every time you run a pipeline build. Use the --request_policy parameter to download a policy only if you modified the policy.

  • Supply an application to scan by specifying the --file <filename> parameter with other parameters used for configuration settings, results display settings, and project metadata.

    If you use the --file <filename> parameter, supply additional parameters:

    Required: Veracode API credentials
    Your Veracode Platform API ID and key, using either a Veracode API credentials file or parameters on the command line
    Scan configuration
    Settings for how the scan runs, including definition of how to fail a pipeline, maximum scan runtime, and a baseline file against which to compare results
    Results display
    Options for how to display the results of the scan
    Project metadata
    Information about the project to include in results output and usage reports

The Pipeline Scan uses this command syntax:

java -jar pipeline-scan.jar 
[-h] [-v] -f <file> [-prof <Veracode profile>] [-vkey <Veracode API key>] 
[-vid <Veracode API ID>] [-fs fail_on_severity] [-fc fail_on_cwe]
[-bf <baseline file path>] [-t <timeout>] [-id {true,false}] [-sd {true,false}]
[-jd {true,false}] [-so {true,false}] [-sf <summary output file>] 
[-jo {true,false}] [-jf <JSON output file>] [-p <project name>] [-u <project URL>] 
[-r <project ref>] [-aid <app ID>] [-ds {Development,Testing,Release}] 
[-gig {true,false}] [-gvg {true,false}] [-fjf <filtered JSON output file>]
[-pn <policy name>] [-pf <policy file>] [-rp <custom policy name>]  [-V {true,false}]
 

Pipeline scans save the results to a JSON file. Pipeline scans also save a summary to file storage if the results contain any findings. You can also display the JSON and summary output on the console. To increase the verbosity to the console, add --verbose true to the Java command.

This table describes the Pipeline Scan command parameters.

Parameter Long Version Description
-f

Required

--file Upload and scan the file.
-rp --request_policy Enter the name of the policy to download. Required only if you want to download the configuration for a custom policy defined by your organization. You use the --request_policy parameter with the --policy_file parameter.
Credentials
-prof --veracode_profile Identify which Veracode API credentials file provides your Veracode API credentials. Default is the default profile.
-vid --veracode_api_id Enter your Veracode API ID. Required if you do not provide the --veracode_profile parameter.
-vkey --veracode_api_key Enter your Veracode API key. Required if you do not provide the --veracode_profile parameter.
Scan Configuration
-fs --fail_on_severity Set analysis to fail for issues of the given severities. Comma-separated list of severities, in quotation marks.

For example, --fail_on_severity="Very High, High" reports if issues of severity Very High or High exist in the scan.

Default is "Very High, High, Medium, Low, Very Low."

-fc --fail_on_cwe Set analysis to fail for the supplied CWEs. Comma-separated list of CWEs.

For example, --fail_on_cwe=95,100,978 reports only if issues of CWEs 95, 100, or 978 exist in the scan.

Default is to fail the analysis for all discovered CWEs.

If you use --fail_on_cwe without defining a --fail_on_severity parameter, the Pipeline Scan uses the default --fail_on_severity values: Very High, High, Medium, Low, Very Low.

-bf --baseline_file Filter the flaws that exist in the specified baseline JSON file and show only the additional flaws in the current scan.
Note: You cannot use the --baseline_file parameter to ignore flaws in Python applications.
-pn --policy_name Name of the Veracode default policy rule to apply to the scan results. You can only use this parameter with a Veracode default policy.
-pf --policy_file Name of the local policy file you want to apply to the scan results. To retrieve this file, use the --request_policy parameter.
-t --timeout Specify amount of time (in minutes) for the Pipeline Scan to wait before reporting an unsuccessful scan if the scan is not complete. Default is 60, which is the maximum value allowed.
Results Display
-id --issue_details Enter true to show detailed messages for each issue in the results summary. Default is false.
-sd --summary_display Enter true to show a human-readable results summary on the console. Default is true.
-jd --json_display Enter true to show the JSON containing the scan results on the console. Default is false.
-V --verbose Enter true to display detailed messages in the scan results. Default is false.
Saving Results
-so --summary_output Enter true to save a human-readable results summary to a file. Default is false.
-sf --summary_output_file Enter the filename of the scan results summary file. The file is stored in the current directory. Default is results.txt.
-jo --json_output Enter true to save the scan results in JSON format. Default is true.
-jf --json_output_file Enter the filename of the JSON file in which you save scan results. The file is stored in the current directory. Default is results.json.
-fjf --filtered_json_output_file Enter the filename in the current directory to save results that violate pass/fail criteria. Default is filtered_results.json.
Note: You must use different filenames for the --json_output_file and --filtered_json_output_file parameters.
-gig --gl_issue_generation Enter true to create GitLab issues from the scan results. Default is false.

The issue generation feature uses the GitLab API. You can configure it to support custom domains. To use a custom domain, set the GITLAB_URL CI/CD variable to the base URL. For example: GITLAB_URL=https://<GITLAB_URL>/api/v4/projects/. If not set, this value defaults to https://gitlab.com/api/v4/projects/

-gvg --gl_vulnerability_generation Enter true to create a JSON file from the scan results that you automatically import as GitLab vulnerablities. Default is false.
Note: To use this parameter, you must define the paths and reports settings in the GitLab CI.
Project Metadata
-p --project_name Enter the project name.
-u --project_url Enter the URL for the project source control.
-r --project_ref Enter the source control reference, revision, or branch for the project.
-aid --app_id Enter the Veracode Platform application ID.
-ds --development_stage Enter one these values for the type of development stage:
  • Development
  • Testing
  • Release
These values are case-sensitive.
Informational
-h --help List all the possible commands and parameters for the Pipeline Scan.
-v

--version

Display the Pipeline Scan version.
Note: When running the Pipeline Scan on JVM (Java Virtual Machine) version 9 or later, you may need to add --add-modules java.xml.bind to the Java command, before the -jar parameter.