Veracode Community Static Analysis Security Testing (SAST) Azure DevOps ExtensionThis project is community contributed and is not supported by Veracode. For a list of supported projects, please visit Veracode.com. OverviewSeamlessly integrate Veracode SAST scans with Azure DevOps build pipelines. Please note, this SAST scan is not the same thing as the "Upload and Scan" method. The primary difference is that this scan does not record findings with the central Veracode platform. You can find an overview of each method on Veracode's website here. RequirementsTo run this plug-in in your build pipeline, you must be an existing Veracode SAST customer. Additionally, you need a valid VERACODE_API_ID and VERACODE_API_KEY to use this plug-in. Documentation for how to create a token for Continuous Integration (CI) activities can be found on Veracode's website here. Currently, this plug-in will only run on a Linux or Mac Azure Pipelines agent (either hosted or self-hosted). Additionally, the agent requires Python > 3.6. UsageThere are four required inputs: VERACODE_API_ID/VERACODE_API_KEY, Target to scan, Minimum severity to report, and an option to fail the build.
There are two optional inputs: Application Name, and Test Agent capabilities
Classic Pipeline ExampleYAML Pipeline ExampleBelow is sample YAML to insert into your build or release pipeline.
Setting and Securing VERACODE_API_ID/VERACODE_API_KEYA high-level overview of setting secret values in YAML pipelines is here. To set secret values in Classic pipelines, refer to the documentation here. In either case, first create variables in your build pipeline called VERACODE_API_ID, store the token in the field, and click on the lock icon to protect the token. Repeat the process for VERACODE_API_KEY. Please note, once you protect the token, you can never retrieve the value again from Azure DevOps. Once you have created the VERACODE_API_ID/VERACODE_API_KEY variables, you have to populate it in the plug-in. Navigate to the "Environment Variables" section of the plug-in, create the variable for VERACODE_API_ID and, for value, input $(VERACODE_API_ID). Repeat the process for VERACODE_API_KEY. ResultsVulnerabilities (if any) are automatically published to the build pipeline. To view them, simply click on the "Tests" tab. For each vulnerability discovered, a "failed test" will appear in the results. Known Issues and Limitations of the Microsoft hosted Azure Pipeline agentIf you intend to test a private endpoint (i.e., internal source code repository), it is probable that the Microsoft hosted agents do not have access to your internal network. As a result, please use a self-hosted Azure Pipeline agent. For self-hosted agents, Python >= 3.6.x is required. Please Note: Windows is currently not supported for the Veracode Community SCA Azure DevOps Extension. Please refer to the links below for your target platform: The location of the latest self-hosted agents is here |