Run a Pipeline Scan

Pipeline Scan

You can run a Pipeline Scan by adding a job to your CI/CD pipeline to execute the necessary commands.

Before you can run a Pipeline Scan, ensure that you meet these prerequisites:

User Requirements
  • An active Veracode Static Analysis license
  • These roles:
    • For a user account, one of these user roles:
      • Security Lead
      • Creator
      • Submitter
    • For an API service account, one of these roles:
      • Upload API - Submit Only
      • Upload and Scan API
  • You have generated Veracode API credentials. Pipeline scans can use a standalone Veracode API credentials file. If the credentials file does not exist, you must use the VERACODE_API_ID and VERACODE_API_KEY parameters to specify authentication credentials.
System Requirements
  • You must have installed Java 8 or later.
Proxy Settings
If you are using authenticated HTTPS proxy connections with the Pipeline Scan, configure the proxy settings using this format:
java -Dhttps.proxyHost=<myproxy> -Dhttps.proxyPort=<myport> -Dhttps.proxyUser=<myuser> -Dhttps.proxyPassword=<mypass>
Scan Limit
Veracode limits the number of scans to six scans per minute per user account.

Veracode also offers an API to interact with the Pipeline Scan.

To submit files for scanning:

  1. Edit your pipeline script to include the Pipeline Scan commands.
  2. Run the pipeline job.
    The Pipeline Scan reports the result of the scan, including any flaws.

After you submit a CI/CD pipeline job using the Pipeline Scan command-line options, the status codes returned depend on the results of the scan. You can configure your CI/CD pipeline to use these status codes to pass or fail the stage using the Pipeline Scan.

When the Pipeline Scan is complete, it returns one of these status codes:

Status Code Description
0 The Pipeline Scan did not find any flaws.
1200 If the Pipeline Scan finds flaws, it returns a status code equal to the number of flaws found (up to 200).
-1 The scan failed because of network flaws, invalid Veracode API credentials, or other problems.
-3 The scan did not complete within the time specified using the --timeout option.

Initiating a scan using the default settings (application filename and Veracode API credentials) instructs the Pipeline Scan to:

  • Report scanned modules
  • Report flaw counts for any flaws of Very Low severity or higher
  • Display a summary of the results on the console
  • Write results JSON to storage, where it can then be used by the pipeline

If the scan produces very large results output, the scan may truncate the results before sending it to the Pipeline Scan. If the scan operation truncates output, the Pipeline Scan issues a warning message and includes a subset of the total results for the scan in the JSON and summary results output.