Veracode Scanning

NOTE: This is not an official Veracode supported extension. Go to https://docs.veracode.com/ to find information about Veracode extensions for Azure DevOps.

Overview

This extension is intended to make it easy to use Veracode Static Analysis and/or Veracode Software Composition Analysis in your pipelines. It supports running Policy Scans and Pipeline Scans for Static Analysis and Agent Based Scans for Software Composition Analysis. Although you can supply configuration parameters as part of the pipeline YAML definition the extension will prioritise configuration that is provided as a Variable Group.

Why use variables for configuration?
This is to support future functionality where configuration of the Veracode Scanning task can be automated. As long as the task is part of the pipeline and already using variables for configuration it will be much easier to update the variables from other places (e.g. a provisioning script which could refresh API credentials automatically) than to edit the YAML files themselves. It also means that regardless of differences between branches a common approach to scanning configuration is applied.

Veracode Scanning runs both types of analysis in parallel to minimise the amount of time taken. Static Analysis in particular is a very computationally complex activity that involves modelling the code for data and control paths and then searching the model for paths that represent weaknesses. Inevitably as the volume and complexity of code being analysed grows the work involved will take more time so anything we can do to minimise that is helpful.

Veracode Scanning also adds visualisation of the scan results as an additional tab on the Build Summary and Pull Request views. For the Build Summary the results shown will be the output from the current build. For the Pull Request tab the results shown are those found in the latest build of the Source Branch for the Pull Request. In both cases the reults are initially shown with only Policy Violating findings (i.e. any Static or Software Compositiuon Analysis findings that will cause the codebase to fail the Policy that has been assigned in the Veracode Platform). There is a button to allow you switch the view to show All Results and back again. For Static Analysis this results filtering supports all Policy Rules that apply to Static Analysis. For Software Composition Analysis there is a limitation that only Maximum Severity and Maximum CVSS Score rules are supported.

Getting Started

Install the extension (click "Get it free" above) and the for each project that you want to add Veracode Scanning to:

Create a new Variable Group ("Pipelines" -> "Library" -> "+ Variable group") called VeracodeScanning (you can use any name you like but the rest of the instructions assume this name)
Add the configuration variables (see section Configuration Principles below for details). Remember to make the credentials variables Secret.
Save the Variable group.
Edit your pipeline YAML file. Toward the top of the file you will need to add a reference to the Variable group

variables:
- group: VeracodeScanning

Later in the YAML (after the code has been packaged) add the Veracode Scanning task (NOTE: if you've setup the variable group then no inputs are needed)

- task: VeracodeScanning@0

Thats it - whenever the pipeline runs the appropriate scanning will take place automatically.

Configuration Principles

There are 2 parts to the configuration of Veracode Scanning.

Scanning Configuration - API Credentials required to communicate with the Veracode Platform and the parameters used by the actual scanning activities (i.e. which files should be uploaded for Static Analysis and which Modules should be selected for scanning).
Workflow Configuration - Which type of Static Analysis (Policy or Pipeline) should be performed on a given Branch and when should failure to pass Policy Compliance result in the pipeline failing.

All configuration parameters can be supplied either as inputs to the task in the pipeline YAML file or as Variables defined in a Variable Group in your Project. When it is executing the Task will first try to find the Variable and will only check the YAML Input if the Variable is not present.

Static Scanning Configuration Parameters

For Static Analysis the following configuration parameters apply. If any of the Required parameters are not supplied then Static Analysis will not be performed.

Parameter Name	Required	Description
VERACODE_API_KEY_ID	Required	The ID part of your Veracode API Credentials. You can generate these credentials either by logging in to the Veracode Platform or by using the Identity API. For more details go to https://docs.veracode.com/
VERACODE_API_KEY_SECRET	Required	The Key part of your Veracode API Credentials.
VERACODE_APP_ID	Required	The Application ID of the App Profile on the Veracode Platform that is used for this Project. You can find this ID by Logging in to the Veracode Platform, Navigating to the App Profile and then extracting the ID from the URL (the second number in the URL).
VERACODE_UPLOAD_PATTERN	Required	Filename pattern that represents the files to be uploaded for Static Analysis. NOTE: Files to be uploaded should be packaged in the required format. For more information go to https://docs.veracode.com/r/compilation_packaging
VERACODE_MODULE_PATTERN	Optional	The name(s) of the modules(s) to be included in the Static Scan. These will differ from the Upload Patter files in that they will not have a path element. For example, if you uploaded target/verademo.war for scanning then the Module Name will just be verademo.war. If you don't supply a Module Pattern then all top level modules will be scanned.
VERACODE_SCAN_TIMEOUT	Optional	When a Policy Scan is being performed this parameter will set a timeout for how long the task will wait for the scan to complete. If the scan fails to complete in time then currently the scan results will not be available in the Scan Summary or Pull Request tabs. In future the tabs will be able to retrieve these results for viewing later.

SCA Scanning Configuration Parameters

For Software Composition Analysis the following configuration parameters apply. If any of the Required parameters are not supplied then Software Composition Analysis will not be performed.

Parameter Name	Description	Description
SRCCLR_API_TOKEN	Required	The API Token for Agent Base SCA scanning. For more details go to https://docs.veracode.com/r/Integrate_Veracode_SCA_Agent_Based_Scanning_with_Your_CI_Projects
SRCCLR_API_URL	Required	The URL for the SCA Endpoints. This is based on the Veracode Region you are using. For Commerical (US) the url is https://api.sourceclear.io For European the url is https://platform-backend.analysiscenter.veracode.eu
VERACODE_SCA_PARAMETERS	Optional	Optionally you can supply additional parameters for the SCA Agent here.

Static Workflow Configuration Parameters

These parameters control which type of static scan is performed upon a given branch as well as when the scanning task is required to break the build if Policy Violating findings exist.

Parameter Name	Required	Description
VERACODE_REPORTING_BRANCH	Required	The branch that should be used for Compliance Reporting (i.e. Policy Scanning with Static Analysis). For example "refs/heads/main")
VERACODE_BREAK_BUILD_BRANCHES	Required	Branches where you want the build task to fail if there are Policy Violations in the scan results. For example "refs/heads/main, refs/heads/release-candidates"

Veracode

John Smith (Veracode)