Skip to main content

Add a Jenkins build job for Static Analysis

You can configure a Jenkins build job in a freestyle or pipeline project for uploading binaries to Veracode for Static Analysis. You continue to use your same build process, but you add a post-build action for the Veracode parameters.

Before you begin:

note

The Veracode Jenkins Plugin only supports freestyle and pipeline projects.

To complete this task:

  1. In the Jenkins left menu, select New Item.

  2. In the Enter an Item name field, enter a name for this new scan that you want to submit to Veracode.

  3. Select one of these options:

    • If you want to create a new project using the standard projects types provided by Jenkins, select one of the available project types listed.
    • If you want to create a new project based on an existing project, in the Copy from input box, enter the name of an existing project you want to use as the model when you create the new item.
  4. Select OK.

  5. Select Advanced... to expand the Advanced Project Options.

  6. In the Post-build Actions section, from the Add post-build action dropdown menu, select Upload and Scan with Veracode.

  7. In the Application Name field, enter the name of the application you want Veracode to scan.

    To use the Jenkins project name as the application name, enter $projectname.

    note

    Do not wrap the application name in quotation marks.

  8. If the application does not already exist in the Veracode Platform, but is a new application you want Jenkins to create, select the Create Application checkbox.

    note

    If you select this option, you must also provide the name of the team that is associated with the application.

  9. From the Business Criticality dropdown menu, select the level of criticality of this application.

  10. In the Sandbox Name field, enter the name of the sandbox in which you want to run the scan as a sandbox scan.

  11. If the sandbox does not already exist in the Veracode Platform, but is a new sandbox you want Jenkins to create, select the Create Sandbox checkbox.

  12. In the Scan Name field, enter a name for the static scan you want to submit to the Veracode Platform for this application.

    To use the Jenkins project build number as the scan name, enter $buildnumber. To use the date and time of the Jenkins build job submission as the scan name, enter $timestamp.

  13. In the Upload field, you can include and exclude filepath patterns of the files you want to upload and scan.

    Use a comma-separated list of ant-style include patterns relative to the job workspace project name. The project name is the one you entered in the Project name field. For a description of the ant-style pattern format, see https://ant.apache.org/manual/dirtasks.html.

    note

    The Upload field does not accept variable names.

  14. In the Scan field, you can include and exclude filename patterns of the uploaded files you want to scan as top-level modules.

    Use a comma-separated list of ant-style include patterns with only the filenames of the files you have uploaded, not the filepaths.

    note

    The Scan field does not accept variable names.

  15. You can rename the files you are uploading by entering the filename pattern of the uploaded files that you want to rename and clicking Save As. You must also enter the replacement filename pattern that represents the groups that the filename pattern captured.

  16. Select the Wait for scan to complete checkbox if you want the Jenkins job to wait for the Veracode scan to complete.

    Enter the maximum time in minutes that you want the Jenkins job to wait before skipping the Upload and Scan with Veracode action. Allow enough time for a typical scan of your application to complete. A Veracode policy scan fails, regardless of whether it completes or not, if it does not meet the requirements of the associated policy.

  17. For Delete Incomplete Scan, select an option for automatically deleting an incomplete scan, based on its status, to allow the uploadandscan action to continue processing. Default is 0, which specifies to not delete an incomplete scan.

    To delete scans, you must have a user account with the Delete Scans role or an API service account with the Upload and Scan role.

  18. If you provided Veracode credentials on the Manage Jenkins page and want to use them for this project, select the Use global Veracode API ID and key checkbox.

  19. In the Veracode Credentials section, enter your Veracode API credentials.

    If you have bound your Veracode API credentials, you can enter the environment variables for the API ID and key.

  20. Select Apply and Save.

  21. Go to the Jenkins project and select Build Now from the left menu.

Next steps:

You can monitor the progress of the Veracode job by selecting the build from the Jenkins left menu and clicking Console Output.