uploadandscan

Veracode APIs

The uploadandscan composite action enables you to upload files to Veracode for scanning.

The auto-scan option is always set to on with the uploadandscan call.

Note: The XML API and the wrappers use a different syntax. For the wrappers, the parameter names omit the underscores, the parameter values omit spaces, and some parameters use different names. For example, the parameter app_id in the API is appid in the wrapper and the parameter value Very High in the API is VeryHigh in the wrapper. The parameter business_criticality in the API is criticality in the wrapper. The syntax is not interchangeable and using the wrong syntax causes your command to fail. To ensure you are using the correct syntax, see the documentation provided in the Help directory for each wrapper.

The uploadandscan call supports these parameters:

Name Type Description
appname

Required

String Name of the Veracode application profile.
createprofile

Required

Boolean Create a Veracode application profile, if one does not exist, for the specified application profile name. Set to true to create a profile. Set to false to not create a profile.
filepath

Required

String Filepath or folderpath of the files you want to upload to Veracode for scanning. By default, the integration uploads all the subdirectories and files of this filepath. Ensure you have prepared the files according to the Veracode Packaging Requirements.
version

Required

String Name or version of the build that you want to scan.
createsandbox Boolean For development sandbox scans, create a sandbox for the specified Veracode application. Set to true to create a sandbox. Set to false to not create a sandbox.
criticality String Optional. Required if setting the createprofile parameter. The level of criticality of the scan:
  • VeryHigh
  • High
  • Medium
  • Low
  • VeryLow
exclude String Case-sensitive, comma-separated list of module name patterns that represent the names of modules to not scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character.
include String Case-sensitive, comma-separated list of module name patterns that represent the names of modules to scan as top-level modules. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character.
lifecyclestage String One of these lifecycle stage values:
  • NotSpecified
  • InDevelopmentPreAlpha
  • InternalOrAlphaTesting
  • ExternalOrBetaTesting
  • DeployedInProductionAndActivelyDeveloped
  • MaintenanceOnlyBugFixes
  • CannotDisclose
maxretrycount Integer Number of times to retry polling for the status of a failed build. Value range is 0 to 5, where 0 specifies to not retry polling.
pattern String Case-sensitive filename pattern that represents the names of uploaded files to save with a different name. The * wildcard matches 0 or more characters. The ? wildcard matches exactly one character. Each wildcard corresponds to a numbered group that you can reference in the replacement pattern.
replacement String Replacement pattern that references groups captured by the filename pattern. For example, if the filename pattern is --SNAPSHOT.war and the replacement pattern is $1-master-SNAPSHOT.war, an uploaded file named app-branch-SNAPSHOT.war is saved as app-master-SNAPSHOT.war.
sandboxid Integer ID of the sandbox in which to run the scan.
sandboxname String Name of the sandbox in which to run the scan.
scanallnonfataltoplevelmodules Boolean If this parameter is not set, the default is false. When set to true, if the application has more than one module, and at least one of the top-level modules does not have any fatal prescan errors, it starts the scan for those modules after prescan is complete.
scantimeout Integer Number of minutes to wait for the scan to complete and pass policy. If the scan does not complete or fails policy, the build fails. Default is 60 minutes.
selected Boolean Set this parameter to true to scan the modules currently selected in the Veracode Platform.
selectedpreviously Boolean Set to true to scan only the modules selected in the previous scan.
teams String Comma-separated list of team names associated with the specified application. Validates against the names of existing teams for this account.
toplevel Boolean When set to true, Veracode only scans the top-level modules in your files.

Veracode recommends that you use the toplevel parameter if you want to ensure the scan completes even though there are non-fatal errors, such as unsupported frameworks.

Examples

These example commands use the uploadandscan action in specific scenarios:

Veracode recommends that you use an external Veracode API credentials file to provide your credentials to the Veracode API wrapper. When you use a Veracode API credentials file, you can omit the -vid and -vkey parameters for specifying your Veracode API credentials.
  • Create an application and start a sandbox scan.
    java -jar VeracodeJavaAPI.jar -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -filepath /workspace/myapp.jar
    VeracodeC#API -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -filepath /workspace/myapp.jar
  • Create an application, start a sandbox scan that only includes modules selected in the previous scan, and wait 30 minutes for the scan to complete.
    java -jar VeracodeJavaAPI.jar -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -scantimeout 30 -selectedpreviously true -filepath /workspace/myapp.jar
    VeracodeC#API -action uploadandscan -vid <Veracode API ID> -vkey <Veracode API key> -appname myapp -createprofile true -teams myteam -criticality VeryHigh -sandboxname mysandbox -createsandbox true -version <unique version> -scantimeout 30 -selectedpreviously true -filepath /workspace/myapp.jar