Using the Veracode Jenkins Plugin

Build Systems

Veracode can integrate with the open-source, continuous integration tool, Jenkins to seamlessly automate the build, upload, and scan operations.

In addition, the Veracode Jenkins Plugin supports the Jenkins pipeline functionality and provides the capability to bind your Veracode username and password to build environment variables.

Prerequisites

To use the Veracode Jenkins Plugin, you must have Java 7 or later installed. The current Veracode Jenkins Plugin supports Jenkins versions 1.5801 to 2.x.

The Veracode Jenkins Plugin has a dependency on numerous plugins including the Jenkins Structs plugin and Jenkins Symbol Annotation plugin, as do most default installations of Jenkins. Newer versions of Jenkins automatically resolve these dependencies at the time of installation. If this fails, you must manually install the dependencies.

Although there are additional Veracode Jenkins plugins available from the Jenkins server list of available plugins, Veracode only supports the Veracode-developed plugin available here. To use the Veracode Jenkins Plugin, the Jenkins server must have Internet connectivity.

Before uploading an application, you must package it to include the required debug symbols, as described in the Veracode Compilation Guide. If you have a .NET application, use the Veracode Visual Studio Extension to prepare your application. You can even automate the preparation of a .NET application by precompiling it with MSBUILD.

Permissions

To use the Veracode Jenkins Plugin you must have one of the following types of accounts:
  • A human Veracode account using the API ID and key authentication, with the following roles:
    • Creator or Security Lead role to be able to create application profiles, and upload and scan applications
    • Submitter role to create a new scan for an existing application and upload and scan these applications
    • Reviewer role to check scan completion.
  • A non-human account with the following API roles:
    • Upload API to create application profiles, create sandboxes, and upload and scan applications
    • Upload API - Submit only to submit scans
    • Results API to check scan completion