Configure Jenkins Pipeline Job for Veracode Scans

Build Systems

Before you begin

Before you can configure a Jenkins pipeline script, configure the Jenkins credentials as described in Configure Jenkins Credentials To Use with Pipeline Job for Veracode Scans.

About this task

To configure a Jenkins pipeline job:

Procedure

  1. Select Pipeline Syntax to display the Snippet Generator page.
  2. Select veracode: Upload and Scan with Veracode Pipeline from the Sample Step dropdown menu.
  3. In the Application Name field, enter the name of the application you want Veracode to scan.


    Note: Do not include quotation marks in the Application Name field.
  4. If this application does not already exist in the Veracode Platform but is a new application you want Jenkins to create, select the Create Application checkbox.
  5. From the Business Criticality dropdown menu, select the level of criticality of this application.
    If you want to run the scan in a sandbox, enter a name in the Sandbox Name field.
  6. Select the Create Sandbox checkbox if the sandbox does not already exist in the Veracode Platform but is a new sandbox you want Jenkins to create.
  7. In the Scan Name field, enter a name for the static scan you want to submit to the Veracode Platform for this application.
  8. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan.
    Use a comma-separated list of ant-style include patterns relative to the job workspace project name. The project name is the one you entered in the Project name field.
  9. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules. Use a comma-separated list of ant-style include patterns with just the filenames of the files you have uploaded, not the filepaths.
  10. Optionally, you can rename the files you are uploading by entering the filename pattern of the uploaded files that you want to rename in the Save As fields.
    You must also enter the replacement filename pattern that represents the groups captured by the filename pattern.
  11. Select the Wait for scan to complete checkbox if you want the Jenkins job to wait for the Veracode scan to complete.
  12. Enter the maximum time in minutes that you want the Jenkins job to wait before skipping the Upload and Scan with Veracode action. Allow at least enough time for a typical scan of your application to complete. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.
    Note: If you select the checkbox and do not provide a value in the Timeout (in minutes) field, the timeout period is set to 60 minutes.
  13. In the Credentials Type dropdown menu, select the type of credentials you want to use.
  14. Enter the variable names for your Veracode credentials that were specified in Configure Jenkins Credentials To Use with Pipeline Job for Veracode Scans.
  15. If you want the entire Jenkins job to fail if the Upload and Scan with Veracode action fails, select the Fail Build checkbox.
    Note: If you do not select this option, you do not receive any notification if the action fails but the job completes.
  16. For the Copy Output Remote Files to Master checkbox:
    • Do not select this checkbox if you want to build and upload code to Veracode from a remote machine (node).

      If you do not copy the files to master, the Veracode Java wrapper libraries (JAR files) are copied to the veracode-jenkins-plugin directory in the remote root directory, which is defined as node.

      The Java wrapper CLI executes from the remote machine to upload and scan the output code generated by a build.

    • Only select this checkbox (not recommended) if you are building on a remote machine and copy the output files from this remote machine to master for uploading to Veracode.
  17. If you want to display additional information in the console output window, including the supplied credentials, select the Debug checkbox.
  18. Select Connect using proxy, if applicable, and enter the host, port, username, and password.
  19. Click Generate Pipeline Script.

  20. In the generated Groovy code, remove the quotation marks surrounding the vid and vkey values if you use a username and password as your Veracode credentials.
  21. Copy the Groovy code and insert it into your pipeline. Place it inside the withCredentials step so you can access the environment variables for your credentials with env.VARIABLE_NAME.
    You can use environment variables to dynamically bind the Jenkins project name to the application name and the build number to the scan name. When you generate the script, enter the variables into the script.

    The following example shows a completed pipeline script:

                    node { stage('Veracode Upload and Scan') { 
                    withCredentials([usernamePassword(credentialsId: 'veracode-credentials', passwordVariable: 'veracode_password', 
                    usernameVariable: 'veracode_username')]) { veracode applicationName: 'Jenkins Nightly Pipeline', 
                    canFailJob: true, criticality: 'VeryHigh', debug: true, fileNamePattern: '', replacementPattern: '', 
                    sandboxName: '', scanExcludesPattern: '', scanIncludesPattern: '', scanName: '$buildnumber', teams: '', 
                    timeout: 60, uploadExcludesPattern: '', uploadIncludesPattern: '*/*.jar', useIDkey: true, vid: veracode_id, 
                    vkey: veracode_key, vpassword: '', vuser: ''
                    }
                    }
                    }