Configure a Build Pipeline Using the Azure DevOps and Visual Studio Team Foundation Server

Build Systems

About this task

To configure a build pipeline in Azure DevOps or Visual Studio Team Foundation Server (TFS):

Procedure

  1. In your Azure DevOps project, go to the Build tab and navigate to your build definition.
  2. Select Add build step....


  3. Find the Veracode Upload and Scan build step in the list and click Add.
  4. In the Upload and Scan window on the right, provide the following information:
    • Connection details: Choose to connect to Veracode using an endpoint or your Veracode credentials.

      If connecting using an endpoint, you can use an existing endpoint name or create a new endpoint. Veracode recommends you use an endpoint with your Veracode API ID and key. However, for backwards compatibility, you should continue to use credentials to maintain previous configurations that use the username and password combination.

    • Veracode Scan Settings: Enter the application name, a unique scan name, and filepath of the artifact that you want to upload to the Veracode Platform. If your application does not yet have a profile in the Veracode Platform, select the Create Application Profile checkbox in the Advanced Scan Settings section and Veracode creates one for you.
      Note: Application names in Azure DevOps are case-sensitive.
    • Advanced Scan Settings:
      • If applicable, enter a sandbox name if you are using a developer sandbox or click Create Sandbox to create one.
      • In the Optional Arguments field, enter any optional parameters that you want to apply to the Upload and Scan action. For example:

        -include mymodule1.jar,mymodule2.jar,*.js -createsandbox true -sandboxname mysandbox

        The Optional Arguments field supports all parameters for the uploadandscan API.

        For information on hiding a proxy password during the Upload and Scan action, see Hide a Proxy Password.

        Note: Do not enclose any of the values for optional parameters in single or double quotations.
        To identify specific modules to include or exclude in the scan, use the include or exclude parameters with a comma-separated list of the module name patterns that represent the names of the appropriate modules.
        Note: If you are using the extension in a TFS installation behind a firewall and you require a proxy to reach the public internet, configure the proxy settings by adding the following optional parameters: -phost, -pport, -puser, and -ppassword.

        If necessary, select the Create Application Profile checkbox to create the application in the Veracode Platform.

      • Enter a check status interval in seconds. The default check status is 60 seconds.

    • Veracode Scan Results: Select the respective checkbox if you want to import the scan results. If you select that option, you can then opt to stop the build if the application fails your security policy requirements.
      Selecting either of these options reserves an assigned build agent for this scan to wait until the scan results are complete and available. If you select neither option, the build agent is available to perform other tasks after the binaries are uploaded to Veracode.
      Note: If you initiate a build with neither Veracode Scan Results option selected while a scan is running in the Veracode Platform, the build skips the Upload and Scan task. The build then completes without performing a scan.


  5. If you want to use the Veracode Azure DevOps flaw import feature in your build definition, configure the additional related build variables.

Results

After the scan completes, the results of your scan are available in the Summary tab of your build definition.

Note: If you do not include the Veracode Upload and Scan task in your build definition, the Veracode summary is hidden from the build summary for Azure DevOps and TFS 2018 Update 2. For earlier versions of TFS, the Veracode summary displays a status message explaining why there are no results.