docs.veracode.com
Open in
urlscan Pro
2606:4700::6812:76d
Public Scan
Submitted URL: https://help.veracode.com/r/c_video_run_a_pipeline_scan
Effective URL: https://docs.veracode.com/r/c_video_run_a_pipeline_scan
Submission: On June 16 via api from CA — Scanned from CA
Effective URL: https://docs.veracode.com/r/c_video_run_a_pipeline_scan
Submission: On June 16 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
<form class="searchbox-form">
<div>
<div class="searchbox-input-wrapper">
<div class="ft-label"><label for="gwt-uid-5" class="ft-label-hidden">Search content</label><input type="search" class="searchbox-input" name="query" placeholder="Enter keywords" autocapitalize="off" autocomplete="off" autocorrect="off"
spellcheck="false" id="gwt-uid-5"></div>
</div>
<div class="searchbox-button-wrapper"><button type="submit" class="ft-btn ft-btn-no-bg ft-btn-no-border ft-btn-square searchbox-button" title="Search" aria-label="Search"><i class="ft-icon" aria-hidden="true"></i><span
class="ft-btn-inner-text">Search</span></button></div>
</div>
</form>Text Content
Loading Application...
Your web browser must have JavaScript enabled in order for this application to
display correctly.
Skip to main content
Sign In
Menu
Menu
Back
Back
Pipeline Scan
Rate this document
Rate this document
Share URL
Share URL
Print
Print
More
More
Pipeline Scan
Close
Rate this documentShare URLPrint
Table of contents
Table of contents
Collapse sidebar
Collapse sidebar
Applied filters
Search in document
Return to table of contents
Search content
Search
Load more results
Expand table of contents
Expand table of contents
* Getting Started with Pipeline Scan
* Video: Run a Pipeline Scan in Your CI/CD Environment
* About Pipeline Scan Prerequisites
* Obtain the Pipeline Scan Files
* Run a Pipeline Scan from the Command Line
* Run a Pipeline Scan in a Pipeline
* Using a Pipeline Scan Baseline File
* Using Policies with Pipeline Scans
* Configuring Pipeline Scan Logging
* Pipeline Scan Command Parameters
* Pipeline Scan Code Examples
* Azure DevOps Pipeline Scan Examples
* GitHub Pipeline Scan Examples
* GitLab Pipeline Scan Examples
* Jenkins Pipeline Scan Examples
* Using Pipeline Scan Configuration Scenarios
* Pipeline Scan Example Scan Results
* Pipeline Scan Status Codes
* Veracode Community
* Privacy-Terms of Use
© 2022 VERACODE, All Rights Reserved
GETTING STARTED WITH PIPELINE SCAN
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
You can use Pipeline Scans to evaluate the security of your application within a
development pipeline.
The Pipeline Scan directly embeds into team development pipelines and provides
fast feedback on flaws introduced on new commits. You can use it to break the
build based on flaw severity and CWE category. You can evaluate the changes in
your results compared to previous scans, enabling you to identify security flaws
present in your application before you release the application into production
environments.
Note: Pipeline Scan does not support flaw mitigations or flaw matching. If you
require these features, you can perform Veracode Static Analysis of your
applications using security policies or development sandboxes.
This example shows an initial Pipeline Scan that creates a baseline file of
known findings followed by additional scans that run iteratively against the
baseline. The iterative scanning approach enables you to gradually identify and
resolve new findings until those new findings no longer appear in the scan
results.
Rate this content
Rate this content
VIDEO: RUN A PIPELINE SCAN IN YOUR CI/CD ENVIRONMENT
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
Watch the following video to learn how a Pipeline Scan runs directly within a
CI/CD environment. This demo takes place in a GitLab CI/CD environment where the
scan is already configured. You can customize a Pipeline Scan for your unique
development workflow.
Watch this video on YouTube.
Download this video.
Rate this content
Rate this content
ABOUT PIPELINE SCAN PREREQUISITES
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
Your environment must meet specific prerequisites before you can successfully
upload your packaged application to Veracode and run Pipeline Scans.
* An active Veracode Static Analysis license.
* One of these Veracode accounts:
* A user account with these user roles:
* Creator or Security Lead to create application profiles and upload and
scan applications.
* Submitter role to create a new scan for an existing application and
upload and scan these applications.
* An API service account with these API roles:
* Upload and Scan API to create application profiles and upload and scan
applications.
* Upload API - Submit Only to submit scans. A Veracode account is limited
to six Pipeline Scans per 60 seconds and each scan is limited to a
maximum scan time of 60 minutes.
* You have generated Veracode API credentials. You can provide your credentials
to the Pipeline Scan with the command parameters or with a Veracode API
credentials file.
* You have installed Java 8 or later.
* You have access to a development or test pipeline to which you can add the
Pipeline Scan. If you do not have access to a pipeline, you can try running
the Pipeline Scan from the command line.
* The application you want to scan:
* Builds successfully.
* Does not exceed the total file size limit of 200 MB.
* Meets the packaging requirements. The Pipeline Scan supports applications
built on these languages:
.NET Kotlin Android PHP Cordova Python Groovy React Native Java Scala JavaScript
Titanium
Note: You cannot use the Pipeline Scan if the source-code language for your
application is not supported.
* If you are using authenticated HTTPS proxy connections, you have configured
the proxy settings using this format:
java -Dhttps.proxyHost=<myproxy> -Dhttps.proxyPort=<myport> -Dhttps.proxyUser=<myuser> -Dhttps.proxyPassword=<mypass>
Rate this content
Rate this content
OBTAIN THE PIPELINE SCAN FILES
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
You can obtain the latest version of the Pipeline Scan as a ZIP archive from
Veracode or as a container image from Docker Hub.
Steps
1. Go to one of these locations:
* Docker Hub to use a Docker image.
* Veracode Downloads to download a ZIP archive.
2. If you downloaded the ZIP archive, extract the contents to a local
directory.
The ZIP archive contains the pipeline-scan.jar, which includes all
dependencies except the required Java 8 compatible JRE, and a README with
detailed code examples. You add the full path to pipeline-scan.jar in your
pipeline scripts for running a Pipeline Scan. The provided script examples
include steps to both download and extract the ZIP as part of the Pipeline
Scan job.
Next Steps
Run Pipeline Scans from the command line or in your development pipeline.
Rate this content
Rate this content
RUN A PIPELINE SCAN FROM THE COMMAND LINE
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
You can run a few Pipeline Scan commands at a local console, outside of a
development pipeline, to get started with running a scan and viewing scan
results without the need for a test or production pipeline. You can also use the
command line for debugging.
Before You Begin
Before running a Pipeline Scan, ensure you meet the prerequisites.
Overview
This is an optional procedure that steps you through running a few Pipeline Scan
commands from the command line using different command parameters for generating
scan results, creating a custom baseline file, and running a Pipeline Scan
against that baseline file.
If you want to add a Pipeline Scan to your development pipeline, you can skip
this procedure and go to Run a Pipeline Scan in a Pipeline. You can also run and
manage scans using the Pipeline Scan API.
A Veracode account is limited to six Pipeline Scans per 60 seconds and each scan
is limited to a maximum scan time of 60 minutes.
The example Java application is a WAR file named verademo.war, which you can
download from the Veracode GitHub repository. You can also use any application
that meets the language and packaging requirements.
Steps
1. Obtain the Pipeline Scan files.
2. Run this command to view all scan results for an application:
java -jar pipeline-scan.jar --file verademo.war
Each scan returns a status code.
3. Run this command to include additional details about each finding in the
scan results:
java -jar pipeline-scan.jar --file verademo.war -id true
4. Run this command to save the scan results to a JSON file with a custom
filename:
java -jar pipeline-scan.jar --file verademo.war -jf verademo_results.json
By default, Pipeline Scan saves the scan results to a results.json file in
the local directory. This file is also called an artifact.
Note: Each Pipeline Scan command overwrites the default results.json file
with the latest results. By giving your JSON file a unique filename you can
prevent subsequent scans from overwriting your saved scan results.
The JSON file contains detailed information about each flaw in key-value
pair. This example shows a single finding in a JSON file.
5. Run this command to set your custom JSON file as the baseline file of known
findings for this application:
java -jar pipeline-scan.jar --file verademo.war -bf verademo_results.json
Next Steps
* If you set a baseline file, store it in version control at the same level as
the scanned application. Any changes to a baseline file can affect your
security strategy. It is important that you version this file to ensure it
contains the required baseline of findings for the given application. If
necessary, you can revert to a previous version of the file.
* Review the scan results with your team to determine a mitigation plan for
addressing the discovered flaws.
Rate this content
Rate this content
RUN A PIPELINE SCAN IN A PIPELINE
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
You can add the Pipeline Scan to a job in your development pipeline. You can use
the provided code examples as templates for adding the Pipeline Scan as a stage
in a pipeline job and configure the command parameters to achieve the desired
scan results.
Before You Begin
Before running a Pipeline Scan, ensure you meet the prerequisites.
Overview
Note: Veracode strongly recommends that you configure a Pipeline Scan in a test
pipeline. For example, use a test pipeline on a local workstation or virtual
machine (VM) in case you encounter any problems. You can safely resolve any
problems in your test pipeline and ensure your configuration provides the
expected scan results before moving the configuration to your production
pipeline.
If you want to run a Pipeline Scan, try different commands, debug, or review
scan results outside of a pipeline, you can Run a Pipeline Scan from the Command
Line.
You can also run and manage scans using the Pipeline Scan API.
A Veracode account is limited to six Pipeline Scans per 60 seconds and each scan
is limited to a maximum scan time of 60 minutes.
Steps
1. Obtain the Pipeline Scan files.
2. In your development pipeline, add or edit a job for the Pipeline Scan that
runs after the stage for building your application.
3. Add the code for your CI/CD code repository to the Pipeline Scan stage.
For additional code examples or to ask questions, visit the Veracode
Community.
4. In the Pipeline Scan job, include either the pipeline-scan.jar file you
extracted from pipeline-scan-LATEST.zip or the Docker image.
Veracode recommends that you set the job to download
pipeline-scan-LATEST.zip or get the latest Docker image, each time the job
runs, to ensure that you are using the latest version of the Pipeline Scan.
Alternatively, you can cache pipeline-scan-LATEST.zip locally on your CI
system and download it at regular intervals. The code examples include a
step for downloading and extracting the latest version of the Pipeline Scan
ZIP archive.
5. Edit the Pipeline Scan job to include the command parameters that meet the
security-scanning requirements for your application.
The example configuration scenarios provide common configurations for
specifying fail-build criteria, such as failing the pipeline on specific
flaw severities or CWEs.
6. Run the pipeline to run the Pipeline Scan job.
The scan results provide a list of discovered flaws, if any, and a status
code. If the Pipeline Scan finds any flaws, it returns the status code >=1,
or greater than or equal to 1, to indicate the number of flaws found and
fails the pipeline job.
The Pipeline Scan saves the scan results to a build artifact, which is a
JSON file named results.json. You can rename the JSON file and you can also
use it as a baseline file to set a baseline of discovered flaws for the
scanned application.
Next Steps
* If you set a baseline file, store it in version control at the same level as
the scanned application. Any changes to a baseline file can affect your
security strategy. It is important that you version this file to ensure it
contains the required baseline of findings for the given application. If
necessary, you can revert to a previous version of the file.
* Review the scan results with your team to determine a mitigation plan for
addressing the discovered flaws.
Rate this content
Rate this content
USING A PIPELINE SCAN BASELINE FILE
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
The Pipeline Scan provides the ability to set a baseline of known security
findings. It stores these findings in a JSON file called the baseline or
baseline file. The Pipeline Scan can compare discovered findings against the
baseline file to identify new findings.
During scanning, the Pipeline Scan ignores the findings in a baseline file and
only uses the file to identify new findings. For a CI/CD workflow, you can
decide whether any new findings outside of your baseline are important enough to
"break the build". Then, your team can determine a mitigation strategy for
addressing these findings before moving the code to the next phase in your
development pipeline.
By default, after each scan, the Pipeline Scan saves the scan results to a
results.json file. Because results.json is a standard JSON file, which you can
safely rename, containing all the findings information from your scan results,
you can set this file as the baseline for the scanned application.
For example, you can run the Pipeline Scan at the command line with the
--baseline_file parameter and the name of your JSON file. The Pipeline Scan
scans against that JSON file to report on any new findings.
Rate this content
Rate this content
USING POLICIES WITH PIPELINE SCANS
Share URL
Share URL
Print topics
Print topics
Send feedback
Send feedback
You can use a Veracode security policy to evaluate the scan results from a
Pipeline Scan.
You can configure a Pipeline Scan to evaluate the scan results against one of
the standard or recommended security policies. To use a custom policy, you must
include the --request_policy parameter in your pipeline or at the command line
to retrieve the policy definition from Veracode.
Because a Pipeline Scan performs a static scan and is not aware of the full
history of findings, it supports only these policy rule types:
* Findings with CWE ID
* Findings in CWE Category
* Findings by Severity
When using a Veracode policy, a Pipeline Scan does not consider grace periods,
required scan frequency, or evaluation time frames.
Rate this content
Rate this content