Securing Veracode Credentials in Jenkins

Veracode Integrations Security and Troubleshooting

You can use the Credentials Binding plugin to bind your Veracode credentials to environment variables. When you bind credentials, Jenkins secretly uses the credentials saved in its credentials store. For added security, the Jenkins interface and logs display the environment variables, instead of the actual credentials to which they are bound.

When binding your Veracode API account credentials, you can use the ID and key instead of using a separate Veracode Platform API account to access the APIs. See Generating API ID and Key Credentials and Configure a Jenkins Job for Veracode Analysis.

To secure your Veracode credentials in Jenkins:
  1. Go to the following website to download the latest Credentials Binding plugin:
  2. Follow the Jenkins documentation to install the plugin.
  3. In Jenkins, go to your pipeline project.
  4. Click Pipeline Syntax to go to the Snippet Generator.
  5. From the Sample Step dropdown menu, select withCredentials: Bind credentials to variables.
  6. In the Bindings section, select Add > Username and password (separated).
  7. In the Username Variable and Password Variable fields, enter your Veracode API user ID and key. Your credentials bind to these fields at runtime.

    Pipeline step for binding Veracode credentials in Jenkins.
  8. Click Add.
  9. In the Add Credentials popup, in the Username and Password fields, enter your Veracode API user ID and key.
    Note: When creating credentials, you can use an API ID as a name, for example, VID, which you can reference in a pipeline script.
  10. Click Add to add the credentials to the Jenkins credentials store.

Your Veracode credentials are now available in the dropdown menu in the Credentials section. In the following example, the key name in the pipeline script is VID.