Run a Pipeline Scan

Pipeline Scan

You can run a Pipeline Scan by adding a job to your CI/CD pipeline to execute the necessary commands.

Before you can run a Pipeline Scan, ensure that you meet these prerequisites:

User Requirements
  • An active Veracode Static Analysis license
  • These roles:
    • For a user account, one of these user roles:
      • Security Lead
      • Creator
      • Submitter
    • For an API service account, one of these roles:
      • Upload API - Submit Only
      • Upload and Scan API
  • You have generated Veracode API credentials. Pipeline scans can use a standalone Veracode API credentials file. If the credentials file does not exist, you must use the VERACODE_API_ID and VERACODE_API_KEY parameters to specify authentication credentials.
System Requirements
  • You must have installed Java 8 or later.
Proxy Settings
If you are using authenticated HTTPS proxy connections with the Pipeline Scan, configure the proxy settings using this format:
java -Dhttps.proxyHost=<myproxy> -Dhttps.proxyPort=<myport> -Dhttps.proxyUser=<myuser> -Dhttps.proxyPassword=<mypass>
GitLab Access Token
To run a Pipeline Scan to generate GitLab issues, you must store your access token as an environment variable.
Environment Variables for Base Directories
To run a Pipeline Scan of a Java application to generate GitLab issues, you must define a filepath for the base directories.
Scan Limits
Veracode enforces these limits in a Pipeline Scan:
  • Six scans per minute per user account
  • A total file size of 100 MB for files submitted for scanning
  • A maximum scan time of 60 minutes

Veracode also offers an API to interact with a Pipeline Scan.

To submit files for scanning:

  1. Edit your pipeline script to include the Pipeline Scan commands.
  2. Run the pipeline job.
    The Pipeline Scan reports the result of the scan, including any flaws.

After you submit a CI/CD pipeline job using the Pipeline Scan command-line options, the status codes returned depend on the results of the scan. You can configure your CI/CD pipeline to use these status codes to pass or fail the stage using a Pipeline Scan.

When the Pipeline Scan is complete, it returns one of these status codes:

Status Code Description
0 The Pipeline Scan did not find any flaws.
1200 If the Pipeline Scan finds flaws, it returns a status code equal to the number of flaws found (up to 200).
-1 The scan failed because of network flaws, invalid Veracode API credentials, or other problems.
-3 The scan did not complete within the time specified using the --timeout option.

Initiating a scan using the default settings (application filename and Veracode API credentials) instructs the Pipeline Scan to:

  • Report scanned modules
  • Report flaw counts for any flaws of Very Low severity or higher
  • Display a summary of the results on the console
  • Write results JSON to storage, where it can then be used by the pipeline

If the scan produces very large results output, the scan may truncate the results before sending it to a Pipeline Scan. If the scan operation truncates output, the Pipeline Scan issues a warning message and includes a subset of the total results for the scan in the JSON and summary results output.

You can also view findings and results with the Pipeline Scan API.