Configure a Build Pipeline Using the Azure DevOps and Visual Studio Team Foundation Server

Build and Release Management

Before configuring a build pipeline, you must meet these prerequisites:

If you have an ASP.NET application, see Configure an Azure DevOps Build for ASP.NET Applications.

To configure a build pipeline in Azure DevOps or Visual Studio Team Foundation Server (TFS):
  1. In your Azure DevOps project, select the Tasks tab and navigate to your build definition.
  2. Click Add a task....
  3. Search the list for the Veracode Upload and Scan task and, then, click Add to add it to the build definition.


  4. Select the Veracode Upload and scan task.
    The Veracode Upload and Scan window opens.


  5. In the Veracode Upload and Scan window, provide this information:
    • Connection Details:
      • Select a connection source for connecting to the Veracode Platform:
        • Endpoint: if using an endpoint, select an existing one that uses your Veracode API ID and key or click New to create one. For a new endpoint, in the New service connection window, by default, the Server URL is populated with the Veracode Platform address. Enter your Veracode API ID and key, a name for the service connection and, then, click Save. The new endpoint is selected in the Select Endpoint dropdown menu.


        • Credentials: enter your Veracode API ID and key.
    • Veracode Scan Settings: enter the name of the associated application profile, a unique scan name, and the filepath to the folder containing the application binaries (artifacts) to upload to the Veracode Platform. You can also upload artifacts as ZIP archives. To upload multiple artifacts together:
      1. Add the artifacts to one or more ZIP archives.
      2. Ensure the ZIP archives are in the same upload filepath location.
      3. Prepare the ZIP archives for uploading to Veracode using a separate build step, or build steps, in your pipeline.
      For a .NET application, create separate ZIP archives of each bin folder or precompiled bin folder. Add any associated JavaScript files to a separate ZIP archive according to the packaging instructions in the Compilation Guide.


      If your application does not yet have a profile in the Veracode Platform, select the Create Application Profile checkbox in the Advanced Scan Settings section and Veracode creates one for you.

      Note: Application names in Azure DevOps are case-sensitive.
    • Advanced Scan Settings:
      • If you are using a developer sandbox, enter a sandbox name or click Create Sandbox to create one.
      • In the Optional Arguments field, enter any optional parameters to apply to the Upload and Scan action. For example:

        -include mymodule1.jar,mymodule2.jar,*.js -createsandbox true -sandboxname mysandbox

        The Optional Arguments field supports all parameters for the uploadandscan API.

        For information on hiding a proxy password during the Upload and Scan action, see Hide a Proxy Password.

        Note: Do not enclose any of the values for optional parameters in single or double quotations.
        To specify which modules to include or exclude in the scan, you can use the include or exclude parameters. You enter a comma-separated list of the module name patterns that represent the names of the appropriate modules.
        Note: If you are using the extension in a TFS installation behind a firewall and you require a proxy to reach the public internet, you can add the following parameters to configure the proxy settings: -phost, -pport, -puser, and -ppassword.

        If necessary, select the Create Application Profile checkbox to create the application in the Veracode Platform. You can select the Fail build if Upload and Scan build step fails checkbox to prevent the build from continuing if the Upload and Scan build step fails.

      • Enter a check status interval in seconds. The default is 60 seconds.


    • Veracode Scan Results: select the Import Results upon Scan Completion checkbox to import the scan results. You can select the option under it to stop the build if the scan results indicate that the application has failed your security policy.
      Selecting either of these options reserves an assigned build agent to wait until the scan has completed successfully and the scan results are available. If neither option is selected, the build agent uploads the binaries to Veracode and continues to the next build task in the task list.


  6. If you want to use the Veracode Azure DevOps flaw import feature in your build definition, configure the additional related build variables.
After the scan is complete, in your build definition, you can select the Veracode Scan Summary tab to view the scan results.


Note: For Azure DevOps and TFS 2018 Update 2, if you do not include the Veracode Upload and Scan task in your build definition, you do not see the Veracode Scan Summary tab in the build summary. For earlier versions of TFS, the Veracode Scan Summary tab shows a status message explaining why there are no results.