Configure a Jenkins Job for Veracode Analysis

Build Systems

After installing the Veracode Jenkins Plugin, you can configure Jenkins jobs to upload binaries to Veracode for scanning. You continue to use your same build process, adding an additional post-build step for the Veracode parameters.

About this task

To configure a Jenkins job for Veracode scanning:

Procedure

  1. In the Jenkins left menu, click New Item.
  2. In the Enter an Item name input box, enter a name for this new scan that you want to submit to Veracode.
  3. Choose one of the following options:
    • If you want to create a new project using the standard projects types provided by Jenkins, select one of the available project types listed.
      Note: The Veracode Jenkins Plugin supports only the Freestyle project and Pipeline options.
    • If you want to create a new project based on an existing project, in the Copy from input box, enter the name of an existing project you want to use as the model when you create the new item.
  4. Click OK.
  5. To expand the Advanced Project Options, click Advanced...
  6. In the Post-build Actions section, click Add post-build action, and from the menu, select Upload and Scan with Veracode.
  7. In the Application Name field, enter the name of the application you want Veracode to scan.
    To use the Jenkins project name as the application name, enter $projectname.
  8. If the application does not already exist in the Veracode Platform but is a new application you want Jenkins to create, select the Create Application checkbox.
    If you select this option, you also have to provide the name of the team that is associated with the application.
  9. From the Business Criticality dropdown menu, select the level of criticality of this application.
  10. In the Sandbox Name field, enter the name of the sandbox in which you want to run the scan as a sandbox scan.
  11. If the sandbox does not already exist in the Veracode Platform but is a new sandbox you want Jenkins to create, select the Create Sandbox checkbox.
  12. In the Scan Name field, enter a name for the static scan you want to submit to the Veracode Platform for this application.
    To use the Jenkins project build number as the scan name, enter $buildnumber. To use the date and time of the Jenkins build job submission as the scan name, enter $timestamp.
  13. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan.
    Use a comma-separated list of ant-style include patterns relative to the job workspace project name. The project name is the one you entered in the Project name field. For a description of the ant-style pattern format, see https://ant.apache.org/manual/dirtasks.html.
    Note: Variable names are not accepted in the Upload field.
  14. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules.
    Use a comma-separated list of ant-style include patterns with just the filenames of the files you have uploaded, not the filepaths.
    Note: Variable names are not accepted in the Scan field.
  15. You can rename the files you are uploading by entering the filename pattern of the uploaded files that you want to rename and clicking Save As.
    You must also enter the replacement filename pattern that represents the groups captured by the filename pattern.
  16. Select the Wait for scan to complete checkbox if you want the Jenkins job to wait for the Veracode scan to complete.
    Enter the maximum time in minutes that you want the Jenkins job to wait before skipping the Upload and Scan with Veracode action. Allow enough time for a typical scan of your application to complete. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.
  17. If you provided Veracode user credentials on the Manage Jenkins page and want to use them for this project, select the Use global Veracode user credentials checkbox.
  18. In the Veracode Credentials section, enter either a username/password or ID/key combination.
    You can choose the following options:
    • In the username and password or ID and key fields, you can enter the variables to which you bound your credentials ($veracode_username, $veracode_password).
    • If you want to use both username and password and an ID and key, you can add more credentials and bind them to $veracode_id and $veracode_key, and then use these variables as well as the $veracode_username and $veracode_password variables.
  19. Click Apply and Save.
  20. Go to the Jenkins project left menu and click Build Now.

What to do next

Click the help symbols in each field if you need additional information. You can monitor the progress of the Veracode job by selecting the build in the Jenkins left panel and then clicking Console Output.