Veracode Community Software Composition Analysis (SCA) Azure DevOps ExtensionThis project is community contributed and is not supported by Veracode. For a list of supported projects, please visit Veracode.com. OverviewSeamlessly integrate Veracode Agent-Based SCA scans with Azure DevOps build or release pipelines. Please note, the Agent-Based scan method is not the same thing as the "Upload and Scan" Method. You can find an overview of each method on Veracode's website here. RequirementsTo run this plug-in in your build or release pipeline, you must be an existing Veracode SCA customer. Additionally, you need a valid SRCCLR_API_TOKEN to use this plug-in. Documentation for how to create a token for Continuous Integration (CI) activities can be found on Veracode's website here. There are no specific instructions for Azure DevOps; however, if you follow the directions for CircleCI you can successfully generate a SRCCLR_API_TOKEN to be used with this plug-in. Currently, this plug-in will only run on a Linux or Mac Azure Pipelines agent (either hosted or self-hosted). Additionally, the agent requires Python > 3.6. UsageThere are five required inputs: SRCCLR_API_TOKEN, Scan type, Target to scan, Minimum CVSS score to report, and an option to fail the build.
There are two optional inputs: Application Name, and Test Agent capabilities
Classic Pipeline ExampleYAML Pipeline ExampleBelow is sample YAML to insert into your build or release pipeline.
Setting and Securing SRCCLR_API_TOKENA high-level overview of setting secret values in YAML pipelines is here. To set secret values in Classic pipelines, refer to the documentation here. In either case, first create a variable in your build or release pipeline called SRCCLR_API_TOKEN, store the token in the field, and click on the lock icon to protect the token. Please note, once you protect the token, you can never retrieve the value again. Once you have created the SRCCLR_API_TOKEN variable, you have to populate it in the plug-in. Navigate to the "Environment Variables" section of the plug-in, create a variable called SRCCLR_API_TOKEN and, for value, input $(SRCCLR_API_TOKEN). ResultsVulnerabilities (if any) are automatically published to the build or release pipeline. To view them, simply click on the "Tests" tab. For each vulnerability discovered, a "failed test" will appear in the results. Known Issues and Limitations of the Microsoft hosted Azure Pipeline agentIf you intend to test a private endpoint (i.e., internal source code repository), it is probable that the Microsoft hosted agents do not have access to your internal network. As a result, please use a self-hosted Azure Pipeline agent. For self-hosted agents, Python >= 3.6.x is required. Please Note: Windows is currently not supported for the Veracode Community SCA Azure DevOps Extension. Please refer to the links below for your target platform: The location of the latest self-hosted agents is here ReferencesHere are some useful tips for developing tasks for Azure DevOps. |