About this task
- In your Azure DevOps project, go to the Build tab and navigate to your build definition.
Select Add build step....
- Find the Veracode Upload and Scan build step in the list and click Add.
In the Upload and Scan window on the right, provide the following information:
- Connection details: Choose to connect to Veracode using an endpoint or
your Veracode credentials.
If connecting using an endpoint, you can use an existing endpoint name or create a new endpoint. Veracode recommends you use an endpoint with your Veracode API ID and key. However, for backwards compatibility, you should continue to use credentials to maintain previous configurations that use the username and password combination.
- Veracode Scan Settings: Enter the application name, a unique scan name,
and filepath of the artifact that you want to upload to the Veracode Platform. If your application does not yet have a
profile in the Veracode Platform, select the Create
Application Profile checkbox in the Advanced Scan
Settings section and Veracode creates one for you.Note: Application names in Azure DevOps are case-sensitive.
- Advanced Scan Settings:
- If applicable, enter a sandbox name if you are using a developer sandbox or click Create Sandbox to create one.
- In the Optional Arguments field, enter any optional
parameters that you want to apply to the Upload and
Scan action. For example:
-include mymodule1.jar,mymodule2.jar,*.js -createsandbox true -sandboxname mysandbox
The Optional Arguments field supports all parameters for the uploadandscan API.
For information on hiding a proxy password during the Upload and Scan action, see Hide a Proxy Password.Note: Do not enclose any of the values for optional parameters in single or double quotations.To identify specific modules to include or exclude in the scan, use the include or exclude parameters with a comma-separated list of the module name patterns that represent the names of the appropriate modules.Note: If you are using the extension in a TFS installation behind a firewall and you require a proxy to reach the public internet, configure the proxy settings by adding the following optional parameters: -phost, -pport, -puser, and -ppassword.
If necessary, select the Create Application Profile checkbox to create the application in the Veracode Platform.
- Enter a check status interval in seconds. The default check
status is 60 seconds.
- Veracode Scan Results: Select the respective checkbox if you want to
import the scan results. If you select that option, you can then opt to
stop the build if the application fails your security policy
requirements. Selecting either of these options reserves an assigned build agent for this scan to wait until the scan results are complete and available. If you select neither option, the build agent is available to perform other tasks after the binaries are uploaded to Veracode.Note: If you initiate a build with neither Veracode Scan Results option selected while a scan is running in the Veracode Platform, the build skips the Upload and Scan task. The build then completes without performing a scan.
- Connection details: Choose to connect to Veracode using an endpoint or your Veracode credentials.
- If you want to use the Veracode Azure DevOps flaw import feature in your build definition, configure the additional related build variables.