YAML scripting is frequently used to simplify configuration management of CI/CD tools. This blog post shows how YAML scripts for build tools like Circle CI, Concourse CI, GitLab, and Travis can be edited in order to create integrations with the Veracode Platform. Integrating Veracode AppSec solutions into CI/CD pipelines enables developers to embed remediation of software vulnerabilities directly into their SDLC workflows, creating a more efficient process for building secure applications. You can also extend the script template proposed in this blog to integrate Veracode AppSec scanning with almost any YAML-configured build tool.  

Step One: Environment Requirements

The first step is to confirm that your selected CI tool supports YAML-based pipeline definitions, where we assume that you are spinning up Docker images to run your CI/CD workflows. Your Docker images can run either on Java or .Net. Scripts included in this article are targeted only for Java, and you will need to confirm this step before moving on to the next one.

Step Two: Setting Up Your YAML File

The second step is to locate the YAML configuration file, which for many CI tools is labeled as config.yml. The basic syntax is the same for most build tools, with some minor variations. The links below contain configuration file scripts for Circle CI, Concourse CI, GitLab, and Travis, which you can also use as examples for adjusting methods of config files for other build tools.

Step Three: Downloading the Java API Wrapper

The next step requires downloading the Java API wrapper, which can be done by using the script below.

 # grab the Veracode agent
run:
	name: "Get the Veracode agent"
	command: |
	wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/19.2.5.6/vosp-api-wrappers-java-19.2.5.6.jar -O VeracodeJavaAPI.jar

Step Four: Adding Veracode Scan Attributes to Build Pipelines

The final step requires entering in the script all the information required to interact with Veracode APIs, including data attributes like users’ access credentials, application name, build tool version number, etc. Veracode has created a rich library of APIs that provide numerous options for interacting with the Veracode Platform, and that enable customers and partners to create their own integrations. Information on Veracode APIs is available in the Veracode Help Center.

The script listed below demonstrates how to add attributes to the Circle CI YAML configuration file, so that the script can run the uploadandscan API, which will enable application uploading from Circle CI to the Veracode Platform, and trigger the Platform to run the application scan.

run:
	     name: "Upload to Veracode"
	     command: java -jar VeracodeJavaAPI.jar 
	       -vid $VERACODE_API_ID 
	       -vkey $VERACODE_API_KEY 
	       -action uploadandscan 
	       -appname $VERACODE_APP_NAME 
	       -createprofile false 
	       -version CircleCI-$CIRCLE_BUILD_NUM 
	       -filepath upload.zip

In this example, we have defined:

Name – YAML workflow name defined in this script

Command – command to run Veracode API. Details on downloading API jar are already provided in the previous step

-vid $VERACODE_API_ID - user’s Veracode ID access credential

--vkey $VERACODE_API_KEY – user’s Veracode Key access credential

-action uploadandscan – name of Veracode API invoked by this script

$VERACODE_APP_NAME – name of customer application targeted for uploading and scanning by the Platform. This application name should be defined identically to the way that it is defined in the application profile on the Veracode Platform

-createprofile false – is a Boolean that defines whether application profile should be automatically created if the veracode_app_name does not find a match for an existing application profile.  

  • If defined as true, application profile will be created automatically if no app_name match is found, and upload and scan steps will continue
  • If defined as false, application profile will not be created, with no further actions for upload and scan

-version CircleCI - $CIRCLE_BUILD_NUM – version number of the Circle CI tool that the customer is using to run this integration

-filepath upload.zip – location where the application file resides prior to interacting with the Veracode API

With these four steps, Veracode scanning is now integrated into a new CI/CD pipeline.

Integrating application security scanning directly into your build tools enables developers to incorporate security scans directly into their SDLC cycles. Finding software vulnerabilities earlier in the development cycle allows for simpler remediation and more efficient issue resolution, enabling Veracode customers to build more secure software, without compromising on development deadlines.

For additional information on Veracode Integrations, please visit our integrations page.

Kevin Rise is a Veracode Solutions Architect. In his role, Kevin works closely with customers and prospects to determine how they can improve the security of their pipelines with Veracode’s technology. Previously, Kevin has travelled across the world helping organizations improve their businesses through various technologies.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.