Pipeline Scan example for using a baseline file with Azure DevOps
This YAML code example shows how to generate and use a baseline file in an Azure DevOps build pipeline.
The Pipeline Scan evaluates only flaws that differ from those stored in the baseline file to determine pass or fail criteria. You can use a baseline file to evaluate security risk on only new changes to your application. The Pipeline Scan uses a single pipeline for the build and security scan, then stores the baseline file as an artifact each time a job runs. You can modify this example so that you can run the Pipeline Scan as its own pipeline that another job can trigger. Depending on your build configuration, you may want to store results in a separate globally-accessible location, such as a shared directory.
The example includes a script that downloads and unzips pipeline-scan-LATEST.zip
, to ensure you have the latest version, then runs pipeline-scan.jar
using your API credentials. For improved stability, Veracode recommends that you change these scripts to use the Pipeline Scan Docker image.
Create a baseline file
trigger:
- master
pool:
vmImage: "ubuntu-latest"
steps:
- task: Gradle@2
inputs:
workingDirectory: ""
gradleWrapperFile: "gradlew"
gradleOptions: "-Xmx3072m"
javaHomeOption: "JDKVersion"
jdkVersionOption: "1.8"
jdkArchitectureOption: "x64"
publishJUnitResults: true
testResultsFiles: "**/TEST-*.xml"
tasks: "build"
- script: |
curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
displayName: "Download Pipeline Scan"
- task: ExtractFiles@1
inputs:
archiveFilePatterns: "pipeline-scan-LATEST.zip"
destinationFolder: "pipeline"
cleanDestinationFolder: false
- script: |
java -jar pipeline\pipeline-scan.jar --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --json_output_file="baseline.json" || true
# Pipeline Scan command. VERACODE_API_ID and VERACODE_API_KEY must reference your API credentials.
# "--json_output_file" saves scan results as a JSON file that you can use as a baseline file.
env:
VERACODE_API_ID: $(VERACODE_API_ID)
VERACODE_API_KEY: $(VERACODE_API_KEY)
displayName: "Run Pipeline Scan"
- publish: $(System.DefaultWorkingDirectory)/baseline.json
artifact: baseline
Apply baseline file and fail build for new flaws
trigger:
- master
pool:
vmImage: "ubuntu-latest"
steps:
- script: |
curl -O -L https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
displayName: "Download Pipeline Scan"
- task: ExtractFiles@1
inputs:
archiveFilePatterns: "pipeline-scan-LATEST.zip"
destinationFolder: "pipeline"
cleanDestinationFolder: false
- task: DownloadPipelineArtifact@2
inputs:
source: specific
project: "test"
pipeline: 2
artifact: baseline
- script: |
java -jar pipeline\pipeline-scan.jar --veracode_api_id "$(VERACODE_API_ID)" --veracode_api_key "$(VERACODE_API_KEY)" --file "example.jar" --baseline_file "../baseline.json"
# VERACODE_API_ID and VERACODE_API_KEY must reference your API credentials.
# "--baseline_file" specifies the baseline of known flaws for the specified application file.
# This example command breaks the build for new flaws not listed in the specified baseline file.
env:
VERACODE_API_ID: $(VERACODE_API_ID)
VERACODE_API_KEY: $(VERACODE_API_KEY)
displayName: "Run Pipeline Scan"