Veracode CI
Goal: Provide a command-line tool to use in NPM scripts for triggering Veracode scans in a CI/CD setting.
Usage
Prerequisites
- Have
VERA_ID
andVERA_KEY
environment variables defined with valid Veracode API Credentials
Setup in NPM Project
-
Install as a dev dependency
npm i -D veracode-ci
-
In the
scripts
block of your package.json, add a veracode script{ ... "scripts": { ... "veracode": "veracode --sandbox --appName=<your-veracode-app-name>" }, ... }
-
Run the veracode script
npm run veracode
Excluding Folders/Files
Additionally, you can specify your own excludes. By default, this package zips up everything in the current-working-directory of your project (where the package.json is) excluding the node_modules folder. You can overwrite this excludes by adding a comma-delimited value like so:
veracode --sandbox --appName=<your-veracode-app-name> --excludes='node_modules/**/*,lib/**/*'
Command-line Options
FLAG | VALUE | DESCRIPTION |
---|---|---|
sandbox |
none | Trigger a veracode scan in a sandbox under a provided (existing) app |
excludes |
comma-delimited string | Override what folders/files are excluded from the project for scanning. Defaults to node_modules/**/* . |
appId |
integer | Veracode App ID to run the scans under. Must have appId OR appName specified |
appName |
string | Veracode App Name to run the scans under. Must have appId OR appName specified |
scanAllNonfatalTopLevelModules |
true or false | See Veracode doc for beginprescan.do |
autoScan |
true or false | See Veracode doc for beginprescan.do |