Azure DevOps YAML properties for Flaw Importer
This table describes the YAML properties and their values for adding the Veracode Flaw Importer task to an Azure DevOps build pipeline.
Property | Type | Description |
---|---|---|
ConnectionDetailsSelection Required | String | One of these methods for connecting to Veracode:
|
ConnectionDetailsSelection Required | String | One of these methods for connecting to Veracode:
|
veracodeAppProfile Required | String | Name of the application profile. The name is case-sensitive. |
AnalysisService | String | If you set ConnectionDetailsSelection to Endpoint , the name of the service connection for accessing Veracode.If a service connection does not exist, you can create a new service connection. |
apiId | String | If you set ConnectionDetailsSelection to Credentials , your Veracode API ID. |
apiKey | String | If you set ConnectionDetailsSelection to Credentials , your Veracode API key. |
proxySettings | String | If using a proxy to access Veracode, your proxy settings. For example: -phost abc.com -pport 5252 -puser proxyuser -ppassword proxypassword NOTE: Do not enclose any of the values in single or double quotations. |
sandboxName | String | For development sandbox scans, the name of the sandbox in which to run the scan. If the sandbox does not exist, include createSandBox to create it with the specified name. |
scanType | String | Scan types from which to import flaws or vulnerabilities. One of these values: Dynamic, Static SCA , Static, SCA , Dynamic, Static, SCA |
importType | String | One of these flaw types to import:
|
workItemType | String | One of these work item types to apply to all imported flaws:Bug , Issue , Task , Epic , Feature , Test Case NOTE: The Scrum process template does not support the Issue work item type. Also, the Veracode Flaw Importer task can only import flaws to customized work item types that do not contain required fields. If your customized work item types contain required fields, you must select different work item types that do not contain required fields, or the flaws fail to import. |
area | String | Path to the area where you want to group the work items. You can enter up to five levels in the path. To enter the area paths, use the format <project_name>\<area_1>\<area_2> . For <project_name> , enter the name of the project in the Build Pipeline or Release Pipeline task for which you want to import flaws. |
overwriteAreaPathInWorkItemsOnImport | Boolean | Set to true to replace the area path in new and existing work items with the value specified for area . If set to false existing work items retain their current area path. |
addCustomTag | String | Add a tag with a custom string to all work items for all imported flaws. |
addCweAsATag | Boolean | Add a tag with the CWE ID for the discovered flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
addCveAsATag | Boolean | For SCA scans, add a tag with the CVE ID for the finding to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
addScanTypeTag | Boolean | Add a tag with the scan type, such as Static or Dynamic, that found the finding to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
addSeverityTag | Boolean | Add a tag with the finding severity to the work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
addDueDateTag | Boolean | Add a tag to the work item with the due date for your team to fix the finding. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
foundInBuild | Boolean | Add a tag with the build number of the build in which Veracode discovered the flaw to the corresponding work item. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
addScanNameAsATag | Boolean | Add a tag to each work item showing the name of the Veracode scan that found the imported flaw. Set to true to add the tag. Set to false to not add the tag. Defaults to true and you only see this property in the YAML file if the value is false . |
flawImportLimit | Integer | Maximum number of flaws to import at the same time. Default is 1000 . |
customFields | String | Add custom fields from process templates to generated work items of imported flaws. Enter key-value pairs to specify each field name and value. Add each key-value pair, separated with a colon, on a new line. For example: field.name:value NOTE: Ensure these field names match the field names you define in Azure and that all values are valid for a given field type. If there are any mismatch or validation errors, you can only see these errors in the console after importing flaws. |