Pipeline Scan Examples

Pipeline Scan

Veracode provides examples of how to add Pipeline Scans to development pipelines.

These examples include scripts to download and extract the pipeline-scan-LATEST.zip archive.

Note: These examples are also included in the README file included in the pipeline-scan-LATEST.zip archive.

To use the Pipeline Scan:

  1. Include the JAR file you download from pipeline-scan-LATEST.zip.
  2. After a build job completes, add a pipeline job to run the JAR file. In the pipeline job, enter java -jar with the relevant command parameters.

If the Pipeline Scan finds any flaws, it:

  • Returns the status code >=1 (greater than or equal to 1), indicating the number of flaws found
  • Fails the pipeline job

The Pipeline Scan reports up to 200 flaws. If you include the --fail_on_severity parameter, the Pipeline Scan counts only the flaws requested using the --fail_on_severity parameter.

Note: Veracode recommends that you download pipeline-scan-LATEST.zip each time you run a job, to ensure that you are using the latest version of the Pipeline Scan. Alternatively, cache this file locally on your CI system and download it at regular intervals. All examples include a step for downloading and extracting the latest Pipeline Scan version.

Configuration Scenarios

These common scenarios show how you may want to configure the Pipeline Scan to initiate scans. In these scenarios, initiate the Pipeline Scan after you build your application.

Report Policy-Violating Flaws and Proceed Regardless of the Results
  1. Initiate the Pipeline Scan on the built application, defining the policy criteria with the -fs and -fc parameters, or use the --policy_file or --policy_name parameters to specify a policy defined in the Veracode Platform.
  2. After the Pipeline Scan stage runs, proceed to the next stage, ignoring any exit code from the Pipeline Scan stage.

Veracode identifies this scenario as allow failure. Implementation details vary for each CI system.

Fail the Pipeline Stage if Any Policy-Violating Flaws Are Found (Break the Build)
  1. Initiate the Pipeline Scan on the built application, defining the policy criteria with the -fs and -fc parameters, or with a policy defined in the Veracode Platform using the --policy_file or --policy_name parameters.
  2. The Pipeline Scan stage fails if it finds any flaws matching the defined criteria. The exit code reports the number of flaws, up to 200.
  3. The Pipeline Scan stage passes if it does not find flaws matching the defined criteria.
Fail the Pipeline Stage if Any Newly-Identified Policy-Violating Flaws Are Found (Break the Build)
  1. Include a scan baseline file either as an artifact from a previous build or the project repository, defining the existing set of known flaws.
  2. Initiate the Pipeline Scan on the built application. Define the policy criteria with the -fs and -fc parameters, or with a policy using the --policy_file or --policy_name parameters. Include the baseline file using the -bf parameter.
  3. The Pipeline Scan stage fails if it finds any flaws matching the defined criteria that are not present in the baseline file. The exit code reports the number of flaws, up to 200.
  4. The Pipeline Scan stage passes if it does not find flaws that match the defined criteria or if the baseline file includes all the flaws.

You can use a baseline file to establish a baseline set of scan results. The Pipeline Scan evaluates only flaws that differ from those in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application.

GitLab

You can add a Pipeline Scan as a job in a GitLab pipeline. You configure GitLab pipeline jobs using YAML configuration files. These YAML code examples show how to configure a pipeline to build a project and run a Pipeline Scan as a stage in the pipeline.

GitLab and Gradle with Automatic Issue Generation

To automatically generate issues from the GitLab repository:

  1. Use any GitLab subscription to automatically generate GitLab issues. You do not need a premium GitLab subscription.
  2. Generate an API access token for the GitLab repository and set it as a variable in the CI/CD settings with the PRIVATE_TOKEN key.

This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.

        # image must have JDK8+, gradle, curl, unzip
        image: <image-with-above-requirements>
        
        stages:
        - build
        - scan
        
        build_job:
        stage: build
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
        paths:
        - build/
        expire_in: 1 week
        script: gradle clean build
        
        pipeline scan:
        stage: scan
        dependencies:
        - build_job
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
        paths:
        - results.json
        expire_in: 1 week
        when: always
        script:
        - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - java -jar pipeline-scan.jar
        --veracode_api_id "${VERACODE_API_ID}"
        --veracode_api_key "${VERACODE_API_SECRET}"
        --file "build/libs/sample.jar"
        --fail_on_severity="Very High, High"
        --fail_on_cwe="80"
        --baseline_file "${CI_BASELINE_PATH}"
        --timeout "${CI_TIMEOUT}"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
        --gl_issue_generation true
      

GitLab and Gradle with Automatic Vulnerability Generation

To automatically generate GitLab vulnerabilities from the GitLab repository, obtain a GitLab Gold or Ultimate license.

This structure in the GitLab CI performs a self-test and sets the $VERACODE_API_* variables in the CI/CD settings.

# image must have JDK8+, gradle, curl, unzip
        image: <image-with-above-requirements>
        
        stages:
        - build
        - scan
        
        build_job:
        stage: build
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
        paths:
        - build/
        expire_in: 1 week
        script: gradle clean build
        
        pipeline scan:
        stage: scan
        dependencies:
        - build_job
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
        paths:
        - results.json
        - veracode_gitlab_vulnerabilities.json
        reports: 
        sast: veracode_gitlab_vulnerabilities.json
        expire_in: 1 week
        when: always
        script:
        - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - java -jar pipeline-scan.jar
        --veracode_api_id "${VERACODE_API_ID}"
        --veracode_api_key "${VERACODE_API_SECRET}"
        --file "build/libs/sample.jar"
        --fail_on_severity="Very High, High"
        --fail_on_cwe="80"
        --baseline_file "${CI_BASELINE_PATH}"
        --timeout "${CI_TIMEOUT}"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
        --gl_vulnerability_generation true
      

GitLab and Gradle

        yml
        # image must have JDK8+, gradle, curl, unzip
        <image: image-with-above-requirements>
        
        stages:
        - build
        - scan
        
        build_job:
        stage: build
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
        paths:
        - build/
        expire_in: 1 week
        script: gradle clean build
        
        pipeline scan:
        stage: scan
        dependencies:
        - build_job
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
        paths:
        - results.json
        expire_in: 1 week
        when: always
        script:
        - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - java -jar pipeline-scan.jar
        --veracode_api_id "${VERACODE_API_ID}"
        --veracode_api_key "${VERACODE_API_SECRET}"
        --file "build/libs/sample.jar"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
        --fail_on_severity="Very High, High"
        --fail_on_cwe="80"
        --baseline_file "${CI_BASELINE_PATH}"
        --timeout "${CI_TIMEOUT}"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
      

GitLab and Maven

        yml
        # image must have JDK8+, gradle, curl, unzip
        image: <image-with-above-requirements>
        
        
        stages:
        - build
        - scan
        
        build_job:
        stage: build
        script:
        - maven clean verify
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
        paths:
        -  build/
        expire_in: 1 week
        
        pipeline scan:
        stage: scan
        dependencies:
        - build_job
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
        paths:
        - results.json
        expire_in: 1 week
        when: always
        script:
        - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - java -jar pipeline-scan.jar
        --veracode_api_id "${VERACODE_API_ID}"
        --veracode_api_key "${VERACODE_API_SECRET}"
        --file "build/libs/sample.jar"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
        --gitlab_api_token "${PRIVATE_TOKEN}"
        --fail_on_severity="Very High, High"
        --fail_on_cwe="80"
        --baseline_file "${CI_BASELINE_PATH}"
        --timeout "${CI_TIMEOUT}"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
      

GitLab and Gradle with Automatic Vulnerability Generation Using a Built-in Policy

To evaluate Pipeline Scan results against one of the default policies defined in the Veracode Platform, specify the policy name using the --policy_name parameter. This parameter replaces the --fail_on_severity and --fail_on_cwe filter parameters.

yml
# image must have JDK8+, gradle, curl, unzipimage: <image-with-above-requirements>

stages:
  - build
  - scan

build_job:
  stage: build
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
    paths:
      - build/
    expire_in: 1 week
  script: gradle clean build

pipeline scan:
  stage: scan
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
    paths:
      - results.json
      - veracode_gitlab_vulnerabilities.json
    reports: 
      sast: veracode_gitlab_vulnerabilities.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
    - java -jar pipeline-scan.jar
      --veracode_api_id "${VERACODE_API_ID}"
      --veracode_api_key "${VERACODE_API_SECRET}"
      --file "build/libs/sample.jar"
      --policy_name="Veracode Recommended High"
      --baseline_file "${CI_BASELINE_PATH}"
      --timeout "${CI_TIMEOUT}"
      --project_name "${CI_PROJECT_PATH}"
      --project_url "${CI_REPOSITORY_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --gl_vulnerability_generation true
 

GitLab and Gradle with Automatic Vulnerability Generation Using a Custom Policy

You can specify a policy file you previously downloaded and packaged and then use it in the pipeline. To download policy locally to use later in the pipeline, use the --request_policy parameter as shown in this example:

 - java -jar pipeline-scan.jar
       --veracode_api_id "${VERACODE_API_ID}"
       --veracode_api_key "${VERACODE_API_SECRET}"
       --request_policy="Custom Policy"          
      

Pipeline Scan automatically names the locally-generated policy file using the format <policy name>.json, replacing any spaces with underscores. In this example, the resulting file is named Custom_Policy.json. You should place this file in a location accessible to the pipeline for its subsequent use. Use the --policy_file parameter to specify the local custom policy for vulnerability filtering:

yml
# image must have JDK8+, gradle, curl, unzip
image: <image-with-above-requirements>

stages:
  - build
  - scan

build_job:
  stage: build
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
    paths:
      - build/
    expire_in: 1 week
  script: gradle clean build

pipeline scan:
  stage: scan
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
    paths:
      - results.json
      - veracode_gitlab_vulnerabilities.json
    reports: 
      sast: veracode_gitlab_vulnerabilities.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
    - java -jar pipeline-scan.jar
      --veracode_api_id "${VERACODE_API_ID}"
      --veracode_api_key "${VERACODE_API_SECRET}"
      --file "build/libs/sample.jar"
      --policy_file="Custom_Policy.json"
      --baseline_file "${CI_BASELINE_PATH}"
      --timeout "${CI_TIMEOUT}"
      --project_name "${CI_PROJECT_PATH}"
      --project_url "${CI_REPOSITORY_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --gl_vulnerability_generation true
  
      

Storing and Using a Baseline File With GitLab

You can use a baseline file to establish a baseline set of scan results. The Pipeline Scan evaluates only flaws that differ from those in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application.

yml
        # image must have JDK8+, gradle, curl, unzip
        image: <image-with-above-requirements>
        stages:
        - build
        - scan
        - store
        
        build_job:
        stage: build
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
        paths:
        - build/
        expire_in: 1 week
        script: gradle clean build
        
        Scan:
        stage: scan
        only:
        - master
        dependencies:
        - build_job
        artifacts:
        name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
        paths:
        - baseline.json
        expire_in: 1 week
        when: always
        script:
        - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - java -jar pipeline-scan.jar
        --veracode_api_id "${VERACODE_API_ID}"
        --veracode_api_key "${VERACODE_API_SECRET}"
        --file "build/libs/sample.jar"
        --fail_on_severity="Very High, High"
        --fail_on_cwe="80"
        --json_output_file="baseline.json"
        --timeout "${CI_TIMEOUT}"
        --project_name "${CI_PROJECT_PATH}"
        --project_url "${CI_REPOSITORY_URL}"
        --project_ref "${CI_COMMIT_REF_NAME}"
        Store Baseline:
        # Job will only run on master, if requested.
        # Will restore the above baseline artifact so it can be pulled down in other stages
        stage: store
        before_script:
        only:
        - master
        when: manual
        script:
        - echo "Storing results.json as baseline.json"
        artifacts:
        name: baseline
        paths:
        - baseline.json # If you want to keep this longer than the GitLab default - press store in the web UI
        
        Baseline Scan:
        # Job will run anywhere, except master. Will pull the baseline file and use it in the scan, if available
        except:
        - master
        stage: scan
        script:
        - git clean -dfx
        - 'curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip'
        - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
        - 'curl --location "$CI_PROJECT_URL/-/jobs/artifacts/$CI_COMMIT_REF_NAME/raw/baseline.json?job=Store%20Baseline" -o baseline.json'
        - java -jar pipeline-scan.jar --veracode_api_id "${VERACODE_KEY}" --veracode_api_key "${VERACODE_SECRET}" --file "<file_to_scan>" --project_name "${CI_PROJECT_PATH}" --project_url "${CI_PROJECT_URL}" --project_ref "${CI_COMMIT_REF_NAME}" --baseline_file baseline.json -jf results.json
      

Jenkins

You can add a Pipeline Scan as a job in a Jenkins declarative pipeline. You can configure a Jenkins pipeline with a Jenkinsfile that defines stages of running the pipeline. These examples show how to configure Jenkins to build a project and run a Pipeline Scan as a stage in the pipeline.

Jenkins and Gradle

yml
        pipeline {
        agent any-with-jdk8-gradle-curl-unzip
        stages {
        stage('Gradle Build') {
        steps {
        - sh `gradle clean build`
        }
        }
        stage('Veracode Pipeline Scan') {
        steps {
        - sh `curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip`
        - sh `unzip pipeline-scan-LATEST.zip pipeline-scan.jar`
        - sh `java -jar pipeline-scan.jar \
        --veracode_api_id "${VERACODE_API_ID}" \
        --veracode_api_key "${VERACODE_API_SECRET}" \
        --file "build/libs/sample.jar" \
        --fail_on_severity="Very High, High" \
        --fail_on_cwe="80" \
        --baseline_file "${CI_BASELINE_PATH}" \
        --timeout "${CI_TIMEOUT}"
        --project_name "${env.JOB_NAME}" \
        --project_url "${env.GIT_URL}" \
        --project_ref "${env.GIT_COMMIT}"
        }
        }
        }
        post {
        always {
        archiveArtifacts artifacts: 'results.json', fingerprint: true
        }
        }
        }
      

Jenkins and Maven

        yml
        pipeline {
        agent any-with-jdk8-maven-curl-unzip
        stages {
        stage('Maven Build') {
        steps {
        - sh 'maven clean verify'
        }
        }
        stage('Veracode Pipeline Scan') {
        steps {
        - sh `curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip`
        - sh `unzip pipeline-scan-LATEST.zip pipeline-scan.jar`
        - sh `java -jar pipeline-scan.jar \
        --veracode_api_id "${VERACODE_API_ID}" \
        --veracode_api_key "${VERACODE_API_SECRET}" \
        --file "build/libs/sample.jar" \
        --fail_on_severity="Very High, High" \
        --fail_on_cwe="80" \
        --baseline_file "${CI_BASELINE_PATH}" \
        --timeout "${CI_TIMEOUT}" \
        --project_name "${env.JOB_NAME}" \
        --project_url "${env.GIT_URL}" \
        --project_ref "${env.GIT_COMMIT}" \
        }
        }
        }
        post {
        always {
        archiveArtifacts artifacts: 'results.json', fingerprint: true
        }
        }
        }
      

Storing and Using a Baseline File With Jenkins

You can use a baseline file to establish a baseline set of scan results. The Pipeline Scan evaluates only flaws that differ from those in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application.

This example shows how you can use a baseline file.

It uses a single pipeline for the build and the pipeline scan process, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the pipeline scan as its own pipeline, which another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
pipeline {
        agent any-with-jdk8-gradle-curl-unzip
        stages {
        stage('Clone Repo') {
        steps {
        git url: "$GIT_URL", branch: "$GIT_BRANCH", credentialsId: 'ae020d0c-c99b-4a6c-9663-7a2e0290648c'
        }
        }
        stage('Gradle Build') {
        steps {
        sh './gradlew clean build'
        }
        }
        stage('Veracode Pipeline Scan') {
        steps {
        // Copy baseline from previous build
        copyArtifacts(projectName: "$JOB_NAME", selector: lastSuccessful(stable: true), filter: 'baseline.json', target: '.', optional: true)
        script {
        ref = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()
        baseline = ''
        if (fileExists('baseline.json')) {
        baseline = '--baseline_file baseline.json'
        }
        }
        
        // Download and submit Pipeline Scan
        sh 'curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip'
        sh 'unzip pipeline-scan-LATEST.zip pipeline-scan.jar'
        sh """
        java -jar pipeline-scan.jar \
        --veracode_api_id "${env.VERACODE_API_KEY_ID}" \
        --veracode_api_key "${env.VERACODE_API_KEY_SECRET}" \
        --jf results.json \
        --timeout "$timeout" \
        --file "build/libs/sample.jar" \
        --project_name "$JOB_NAME" \
        --project_url "$GIT_URL" \
        --project_ref "$ref" 
        $baseline
        """
        }
        }
        stage('Store Baseline') {
        steps {
        script {
        try {
        input(message: 'Store results as baseline for future scans?', ok: 'Yes')
        sh 'cp baseline.json build-baseline.json'
        sh 'cp results.json baseline.json'
        } catch (err) {
        
        }
        }
        }
        }
        }
        post {
        always {
        archiveArtifacts artifacts: "*.json", fingerprint: true, allowEmptyArchive: true
        deleteDir()
        }
        }
        }
      

GitHub

You can add a pipeline scan as a step in a GitHub Actions workflow. You configure GitHub Action workflows using YAML configuration files. The following YAML code examples show how to configure a workflow to build a project and run the Pipeline Scan as a step in the workflow.

GitHub Actions and Gradle

        yml
        name: pipeline-scan
        
        on: push
        
        jobs:
        build:
        runs-on: ubuntu-latest
        steps:
        - name: build
        run: gradle clean build
        pipeline-scan:
        runs-on: ubuntu-latest
        steps:
        - name: Set up JDK 1.8
        uses: actions/setup-java@v1
        with:
        java-version: 1.8
        - name: Download the Pipeline Scanner
        uses: wei/curl@master
        with:
        args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - name: Unzip the Pipeline Scanner
        run: unzip pipeline-scan-LATEST.zip
        - name: Run Pipeline Scanner
        run: java -jar pipeline-scan.jar --verbose --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --file "example.jar" --fail_on_severity="Very High, High"
      

GitHub Actions and Maven

        yml
        name: pipeline-scan
        
        on: push
        
        jobs:
        build:
        runs-on: ubuntu-latest
        steps:
        - name: build
        run: maven clean verify
        pipeline-scan:
        runs-on: ubuntu-latest
        steps:
        - name: Set up JDK 1.8
        uses: actions/setup-java@v1
        with:
        java-version: 1.8
        - name: Download the Pipeline Scanner
        uses: wei/curl@master
        with:
        args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - name: Unzip the Pipeline Scanner
        run: unzip pipeline-scan-LATEST.zip
        - name: Run Pipeline Scanner
        run: java -jar pipeline-scan.jar --verbose --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --file "example.jar" --fail_on_severity="Very High, High"
      

Storing and Using a Baseline File with GitHub Actions

This example shows how you can use a baseline file with GitHub actions.

It uses a single pipeline for the build and the pipeline scan process, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the pipeline scan as its own pipeline, which another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
yml
        name: pipeline-scan
        
        on: push
        
        jobs:
        build:
        runs-on: ubuntu-latest
        steps:
        - name: build
        run: gradle clean build
        baseline:
        runs-on: ubuntu-latest
        steps:
        - name: Set up JDK 1.8
        uses: actions/setup-java@v1
        with:
        java-version: 1.8
        - name: Download the Pipeline Scanner
        uses: wei/curl@master
        with:
        args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - name: Unzip the Pipeline Scanner
        run: unzip pipeline-scan-LATEST.zip
        - name: Create Baseline
        run: java -jar pipeline-scan.jar --verbose --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --file "example.jar" --json_output_file="baseline.json" || true
        - name: Upload Baseline
        uses: actions/upload-artifact@v1
        with:
        name: baseline
        path: baseline.json
        baseline-scan:
        runs-on: ubuntu-latest
        needs: baseline
        steps:
        - name: Set up JDK 1.8
        uses: actions/setup-java@v1
        with:
        java-version: 1.8
        - name: Download the Pipeline Scanner
        uses: wei/curl@master
        with:
        args: -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - name: Unzip the Pipeline Scanner
        run: unzip pipeline-scan-LATEST.zip
        - name: download baseline
        uses: actions/download-artifact@v1
        with:
        name: baseline
        - name: Scan with baseline
        run: java -jar pipeline-scan.jar --verbose --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --file "example.jar" --baseline_file "baseline/baseline.json"
      

Azure DevOps

You can add a pipeline scan as a job in an Azure DevOps pipeline. You configure Azure DevOps pipelines using a YAML file that defines steps of running the pipeline. The following YAML code examples show how to configure Azure DevOps to build a project and run the Pipeline Scan as a stage in the pipeline.

Azure DevOps YAML Pipeline and Gradle

        yml
        trigger:
        - master
        
        pool:
        vmImage: 'ubuntu-latest'
        
        steps:
        - task: Gradle@2
        inputs:
        workingDirectory: ''
        gradleWrapperFile: 'gradlew'
        gradleOptions: '-Xmx3072m'
        javaHomeOption: 'JDKVersion'
        jdkVersionOption: '1.8'
        jdkArchitectureOption: 'x64'
        publishJUnitResults: true
        testResultsFiles: '**/TEST-*.xml'
        tasks: 'build'
        - script: |
        curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - task: ExtractFiles@1
        inputs:
        archiveFilePatterns: 'pipeline-scan-LATEST.zip'
        cleanDestinationFolder: false
        - script: |
        java -jar pipeline-scan.jar --verbose --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --fail_on_severity="Very High, High" --fail_on_cwe="80"
        env:
        VERACODE_API_ID: $(VERACODE_API_ID)
        VERACODE_API_KEY: $(VERACODE_API_KEY)

Azure DevOps YAML Pipeline and Maven

        yml
        
        trigger:
        - master
        
        pool:
        vmImage: 'ubuntu-latest'
        
        steps:
        # Maven
        # Build, test, and deploy with Apache Maven
        - task: Maven@3
        inputs:
        mavenPomFile: 'pom.xml'
        goals: 'package' # Optional
        options: # Optional
        publishJUnitResults: true
        testResultsFiles: '**/surefire-reports/TEST-*.xml' # Required when publishJUnitResults == True
        testRunTitle: # Optional
        codeCoverageToolOption: 'None' # Optional. Options: none, cobertura, jaCoCo. Enabling code coverage inserts the `clean` goal into the Maven goals list when Maven runs.
        codeCoverageClassFilter: # Optional. Comma-separated list of filters to include or exclude classes from collecting code coverage. For example: +:com.*,+:org.*,-:my.app*.*
        codeCoverageClassFilesDirectories: # Optional
        codeCoverageSourceDirectories: # Optional
        codeCoverageFailIfEmpty: false # Optional
        javaHomeOption: 'JDKVersion' # Options: jDKVersion, path
        jdkVersionOption: 'default' # Optional. Options: default, 1.11, 1.10, 1.9, 1.8, 1.7, 1.6
        jdkDirectory: # Required when javaHomeOption == Path
        jdkArchitectureOption: 'x64' # Optional. Options: x86, x64
        mavenVersionOption: 'Default' # Options: default, path
        mavenDirectory: # Required when mavenVersionOption == Path
        mavenSetM2Home: false # Required when mavenVersionOption == Path
        mavenOptions: '-Xmx1024m' # Optional
        mavenAuthenticateFeed: false
        effectivePomSkip: false
        sonarQubeRunAnalysis: false
        sqMavenPluginVersionChoice: 'latest' # Required when sonarQubeRunAnalysis == True# Options: latest, pom
        checkStyleRunAnalysis: false # Optional
        pmdRunAnalysis: false # Optional
        findBugsRunAnalysis: false # Optional
        - script: |
        curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - task: ExtractFiles@1
        inputs:
        archiveFilePatterns: 'pipeline-scan-LATEST.zip'
        cleanDestinationFolder: false
        - script: |
        java -jar pipeline-scan.jar --verbose --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --fail_on_severity="Very High, High" --fail_on_cwe="80"
        env:
        VERACODE_API_ID: $(VERACODE_API_ID)
        VERACODE_API_KEY: $(VERACODE_API_KEY)
      

Storing and Using a Baseline File with Azure DevOps

This example shows how you can use a baseline file with Azure DevOps.

It uses a single pipeline for the build and the pipeline scan process, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the pipeline scan as its own pipeline, which another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
        yml
        
        # generate baseline
        trigger:
        - master
        
        pool:
        vmImage: 'ubuntu-latest'
        
        steps:
        - task: Gradle@2
        inputs:
        workingDirectory: ''
        gradleWrapperFile: 'gradlew'
        gradleOptions: '-Xmx3072m'
        javaHomeOption: 'JDKVersion'
        jdkVersionOption: '1.8'
        jdkArchitectureOption: 'x64'
        publishJUnitResults: true
        testResultsFiles: '**/TEST-*.xml'
        tasks: 'build'
        - script: |
        curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - task: ExtractFiles@1
        inputs:
        archiveFilePatterns: 'pipeline-scan-LATEST.zip'
        cleanDestinationFolder: false
        - script: |
        java -jar pipeline-scan.jar --verbose --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --json_output_file="baseline.json" || true
        env:
        VERACODE_API_ID: $(VERACODE_API_ID)
        VERACODE_API_KEY: $(VERACODE_API_KEY)
        - publish: $(System.DefaultWorkingDirectory)/baseline.json
        artifact: baseline
        
        # use baseline
        trigger:
        - master
        
        pool:
        vmImage: 'ubuntu-latest'
        
        steps:
        - script: |
        curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
        - task: ExtractFiles@1
        inputs:
        archiveFilePatterns: 'pipeline-scan-LATEST.zip'
        cleanDestinationFolder: false
        - task: DownloadPipelineArtifact@2
        inputs:
        source: specific
        project: 'test'
        pipeline: 2
        artifact: baseline
        - script: |
        java -jar pipeline-scan.jar --verbose --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --baseline_file "../baseline.json"
        env:
        VERACODE_API_ID: $(VERACODE_API_ID)
        VERACODE_API_KEY: $(VERACODE_API_KEY)