Greenlight CI Tool Usage Examples

Veracode Greenlight

The following are examples of how to use the Veracode Greenlight CI tool. If you want to use these examples in your own pipeline, save the JAR file that is in the installation ZIP file (https://downloads.veracode.com/securityscan/gl-scanner-java-LATEST.zip) to your repository. Add a pipeline job after a build job that runs the JAR file using java -jar, and passes the relevant parameters. If any findings are found, excluding any that are under the per-severity thresholds specified by the --issue_counts option, the job returns a status code >=1. This code represents the number of findings found (up to 200) that fail the pipeline job.

GitLab/Gradle Example

Use the following snippet in GitLab CI to perform a self-test by setting the $VERACODE_API_* variables in the CI/CD settings.

GitLab does not include previous build information in the environment, however, it does allow programmatic (REST) access to query previous pipelines for a lot of information, including all jobs. The tool can query the GitLab API to find the commit associated with the last successful run of a given job. In the Greenlight pipeline for the CI tool itself, you pass the ${CI_JOB_NAME} variable to the --previous_job_name option to find the last successful Greenlight scan. This option requires that you pass a GitLab API personal access token to the --gitlab_api_token to access the GitLab API.

image: docker-image-with-jdk8-gradle-curl-unzip

stages:
  - build
  - greenlight

build_job:
  stage: build
  script:
    - gradle clean build
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
    paths:
      - build/
    expire_in: 1 week
  
greenlight_job:
  stage: greenlight
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_greenlight-results
    paths:
      - results.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/gl-scanner-java-LATEST.zip
    - unzip gl-scanner-java-LATEST.zip gl-scanner-java.jar
    - java -jar gl-scanner-java.jar
      --api_id "${VERACODE_API_ID}"
      --api_secret_key "${VERACODE_API_SECRET}"
      --source_dir "src/main/java"
      --build_dir "build/classes/java/main"
      --project_name "${CI_PROJECT_NAME}"
      --project_url "${CI_PROJECT_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --previous_job_name "${CI_JOB_NAME}"
      --gitlab_api_token "${PRIVATE_TOKEN}"

GitLab/Maven Example

The following is a snippet you can use in your GitLab or Maven pipeline job. The Veracode Greenlight stage runs after the build stage.

GitLab does not include previous build information in the environment, however, it does allow programmatic (REST) access to query previous pipelines for a lot of information, including all jobs. The tool knows how to query the GitLab API to find the commit associated with the last successful run of a given job. In the Greenlight pipeline for the CI tool itself, you pass the ${CI_JOB_NAME} variable to the --previous_job_name option to find the last successful Greenlight scan. This option requires that you pass a GitLab API personal access token to the --gitlab_api_token to access the GitLab API.
image: docker-image-with-jdk8-maven-curl-unzip

stages:
  - build
  - greenlight

build_job:
  stage: build
  script:
    - maven clean verify
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_build
    paths:
      - build/
    expire_in: 1 week
  
greenlight_job:
  stage: greenlight
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_greenlight-results
    paths:
      - results.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/gl-scanner-java-LATEST.zip
    - unzip gl-scanner-java-LATEST.zip gl-scanner-java.jar
    - java -jar gl-scanner-java.jar
      --api_id "${VERACODE_API_ID}"
      --api_secret_key "${VERACODE_API_SECRET}"
      --source_dir "src/main/java"
      --build_dir "target/classes"
      --project_name "${CI_PROJECT_NAME}"
      --project_url "${CI_PROJECT_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --previous_job_name "${CI_JOB_NAME}"
      --gitlab_api_token "${PRIVATE_TOKEN}"

Jenkins/Gradle Example

The following is a snippet you can use in your Jenkins or Gradle pipeline job. The Veracode Greenlight stage runs after the build stage.

Jenkins records the last commit that successfully builds (`${env.GIT_PREVIOUS_SUCCESSFUL_COMMIT}`), and you can pass that directly to the Greenlight CI using the --previous_commit_hash option. Any CI system that records the commit of a previous success build or pipeline can use this option. You can also use this option in GitLab if you prefer to find the previous commit yourself instead of letting the tool find it.

pipeline {
  agent any-with-jdk8-gradle-curl-unzip
  stages {
    stage('Gradle Build') {
      steps {
        - sh `gradle clean build`
      }
    }
    stage('Greenlight Scan') {
      steps {
        - sh `curl -O https://downloads.veracode.com/securityscan/gl-scanner-java-LATEST.zip`
        - sh `unzip gl-scanner-java-LATEST.zip gl-scanner-java.jar`
        - sh `java -jar gl-scanner-java.jar \
          --api_id "${VERACODE_API_ID}" \
          --api_secret_key "${VERACODE_API_SECRET}" \
          --source_dir "src/main/java" \
          --build_dir "build/classes/java/main" \
          --project_name "${env.JOB_NAME}" \
          --project_url "${env.JOB_URL}" \
          --project_ref "${GIT_BRANCH}" \
          --previous_commit_hash "${env.GIT_PREVIOUS_SUCCESSFUL_COMMIT}"`
      }
    }
  }
  post {
    always {
      archiveArtifacts artifacts: 'results.json', fingerprint: true
    }
  }
}

Jenkins/Maven Example

The following is a snippet you can use in your Jenkins or Maven pipeline job. The Veracode Greenlight stage runs after the build stage.

Jenkins records the last commit that successfully builds (`${env.GIT_PREVIOUS_SUCCESSFUL_COMMIT}`), and you can pass that directly to the Greenlight CI using the --previous_commit_hash option. Any CI system that records the commit of a previous success build or pipeline can use this option. You can also use this option in GitLab if you prefer to find the previous commit yourself instead of letting the tool find it.
pipeline {
  agent any-with-jdk8-maven-curl-unzip
  stages {
    stage('Maven Build') {
      steps {
        - sh 'maven clean verify'
      }
    }
    stage('Greenlight Scan') {
      steps {
        - sh `curl -O https://downloads.veracode.com/securityscan/gl-scanner-java-LATEST.zip`
        - sh `unzip gl-scanner-java-LATEST.zip gl-scanner-java.jar`
        - sh `java -jar gl-scanner-java.jar \
          --api_id "${VERACODE_API_ID}" \
          --api_secret_key "${VERACODE_API_SECRET}" \
          --source_dir "src/main/java" \
          --build_dir "target/classes" \
          --project_name "${env.JOB_NAME}" \
          --project_url "${env.JOB_URL}" \
          --project_ref "${GIT_BRANCH}" \
          --previous_commit_hash "${env.GIT_PREVIOUS_SUCCESSFUL_COMMIT}"`
      }
    }
  }
  post {
    always {
      archiveArtifacts artifacts: 'results.json', fingerprint: true
    }
  }
}