Run a Pipeline Scan in a Pipeline

Getting Started with Veracode

You can add the Pipeline Scan to a job in your development pipeline. You can use the provided code examples as templates for adding the Pipeline Scan as a stage in a pipeline job and configure the command parameters to achieve the desired scan results.

Before running a Pipeline Scan, ensure you meet the prerequisites.

Note: Veracode strongly recommends that you configure a Pipeline Scan in a test pipeline that is outside of your production pipeline. For example, use a test pipeline on a local workstation or virtual machine (VM) in case you encounter any problems. You can safely resolve any problems in your test pipeline and ensure your configuration provides the expected scan results before moving the configuration to your production pipeline.

If you want to run a Pipeline Scan, try different commands, debug, or review scan results outside of a pipeline, you can Run a Pipeline Scan from the Command Line.

You can also run and manage scans using the Pipeline Scan API.

A Veracode account is limited to six Pipeline Scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

To run the Pipeline Scan in your development pipeline:

  1. Obtain the Pipeline Scan files.
  2. In your development pipeline, add or edit a job for the Pipeline Scan that runs after the stage for building your application.
  3. Add the code for your CI/CD code repository to the Pipeline Scan stage.
    For additional code examples or to ask questions, visit the Veracode Community.
  4. In the Pipeline Scan job, include either the pipeline-scan.jar file you extracted from or the Docker image.

    Veracode recommends that you set the job to download or get the latest Docker image, each time the job runs, to ensure that you are using the latest version of the Pipeline Scan. Alternatively, you can cache locally on your CI system and download it at regular intervals. The code examples include a step for downloading and extracting the latest version of the Pipeline Scan ZIP archive.

  5. Edit the Pipeline Scan job to include the command parameters that meet the security-scanning requirements for your application.
    The example configuration scenarios provide common configurations for specifying fail-build criteria, such as failing the pipeline on specific flaw severities or CWEs.
  6. Run the pipeline to run the Pipeline Scan job.
    The scan results provide a list of discovered flaws, if any, and a status code. If the Pipeline Scan finds any flaws, it returns the status code >=1, or greater than or equal to 1, to indicate the number of flaws found and fails the pipeline job.

    The Pipeline Scan saves the scan results to a build artifact, which is a JSON file named results.json. You can rename the JSON file and you can also use it as a baseline file to set a baseline of discovered flaws for the scanned application.

  • If you set a baseline file, store it in version control at the same level as the scanned application. Any changes to a baseline file can affect your security strategy. It is important that you version this file to ensure it contains the required baseline of findings for the given application. If necessary, you can revert to a previous version of the file.
  • Review the scan results with your team to determine a mitigation plan for addressing the discovered flaws.