Using Dynamic Vulnerability Rescan with Jenkins

Build Systems

You can use the Veracode Jenkins Plugin to start DynamicDS scans of your application as a post-build action.

The post-build action of creating and starting DynamicDS scans is possible in freestyle or pipeline builds and supports vulnerability rescans.

Configure Veracode Jenkins Settings

To use the Veracode Jenkins Plugin to perform a DynamicDS scan of your application, you must configure additional settings.

To configure settings to use DynamicDS vulnerability rescan:
  1. Go to Manage Jenkins > Configure System.
  2. Scroll down to the Veracode Jenkins Plugin section.

  3. Enter your Veracode API ID and key.
  4. Select the checkbox in the Fail Build field to force Jenkins to fail the entire build job if the Dynamic Rescan with Veracode action fails. This feature saves you time and enables you to troubleshoot errors more easily.
  5. In the Default Values section, you can configure Jenkins server environment-type variables for global application to all Jenkins jobs. These variables include:
    • $projectname, which uses the Jenkins server project name for the application name. You can overwrite this value in the individual Jenkins project settings page in the Veracode options section.
    • $buildnumber, which changes to the Veracode default scan name.
  6. Select Run in Debug.

    Select to run in debug mode to enable the collection of detailed information about Veracode scans. This data is stored in the console log of each individual Jenkins project.

  7. Select the Connect using proxy option and provide the specific host, port, username, and password settings for global use in Jenkins.

Configure a Jenkins Job for Dynamic Vulnerability Rescan

To add a post-build action to start a Veracode DynamicDS scan:
  1. In your project, go to the Post-build Actions section.
  2. From the Add post-build action dropdown menu, select Dynamic Rescan with Veracode.
  3. In the popup, in the Application Name field, enter the name of an application that already exists in the Veracode Platform that you want Veracode to scan, or enter $projectname to use the name of the Jenkins project as the application name.
  4. Select the Vulnerability-only Rescan option if you want to be able to rescan only the vulnerabilities found in a previous full DynamicDS scan.
  5. Click Apply and Save.

Configure a Jenkins Pipeline Job for Dynamic Vulnerability Rescan

Veracode recommends using a snippet generator to create code snippets for routinely repeated steps in your build/test/deploy pipeline.

To configure a Jenkins pipeline job for DynamicDS vulnerability rescans:
  1. In your project, select Snippet Generator in the sidebar.
  2. From the dropdown menu in the Sample Step field, select with Credentials: Bind credentials to variables.
  3. Under Bindings, click Add, and select Username and password (separated).
  4. Enter your Veracode username and password. Alternatively, you can enter your Veracode API ID in the Username field and your Veracode API key in the password field.
  5. Optionally, if you have already bound your Veracode credentials, you select them from the menu in the Credentials field.
  6. Click Generate Groovy.
  7. Copy this Groovy code into your pipeline and save it.

  8. Go back to the Snippet Generator, and from the menu in the Sample Step field, select veracode: Dynamic Rescan with Veracode Pipeline.
  9. In the Application Name field, enter the name of the application you want Veracode to scan.
  10. In the Credentials Type dropdown menu, select the type of credentials you want to use.
  11. Depending on which type of credentials you have chosen to use, enter your Veracode username and password or API ID and key.
  12. Select the Fail Build checkbox if you want the entire Jenkins job to fail if the Dynamic Rescan with Veracode action fails. If you do not select this option, you do not receive any notification if the action fails but the job completes.
  13. Select the Debug checkbox if you want to display additional information in the console output window, including the supplied credentials.
  14. Select Connect using proxy, if applicable, and enter the host, port, and username and password.
  15. Click Generate Pipeline Script.
  16. Copy the script and insert it into your pipeline.

You can use environment variables to dynamically bind the Jenkins project name to the application name and the build number to the scan name. When you generate the script, enter the variables into the script.