HackerSecret.com – The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

How to Leverage YAML to Integrate Veracode Solutions Into CI/CD Pipelines

YAML scripting is frequently used to simplify configuration management of CI/CD tools. This blog post shows how YAML scripts for build tools like Circle CI, Concourse CI, GitLab, and Travis can be edited in order to create integrations with the Veracode Platform. Integrating Veracode AppSec solutions into CI/CD pipelines enables developers to embed remediation of software vulnerabilities directly into their SDLC workflows, creating a more efficient process for building secure applications. You can also extend the script template proposed in this blog to integrate Veracode AppSec scanning with almost any YAML-configured build tool.  

Step One: Environment Requirements

The first step is to confirm that your selected CI tool supports YAML-based pipeline definitions, where we assume that you are spinning up Docker images to run your CI/CD workflows. Your Docker images can run either on Java or .Net. Scripts included in this article are targeted only for Java, and you will need to confirm this step before moving on to the next one.

Step Two: Setting Up Your YAML File

The second step is to locate the YAML configuration file, which for many CI tools is labeled as config.yml. The basic syntax is the same for most build tools, with some minor variations. The links below contain configuration file scripts for Circle CI, Concourse CI, GitLab, and Travis, which you can also use as examples for adjusting methods of config files for other build tools.

  • CircleCI
  • ConcourseCI
  • GitLab
  • Travis

Step Three: Downloading the Java API Wrapper

The next step requires downloading the Java API wrapper, which can be done by using the script below.

 # grab the Veracode agent run: 	name: "Get the Veracode agent" 	command: | 	wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/19.2.5.6/vosp-api-wrappers-java-19.2.5.6.jar -O VeracodeJavaAPI.jar

Step Four: Adding Veracode Scan Attributes to Build Pipelines

The final step requires entering in the script all the information required to interact with Veracode APIs, including data attributes like users’ access credentials, application name, build tool version number, etc. Veracode has created a rich library of APIs that provide numerous options for interacting with the Veracode Platform, and that enable customers and partners to create their own integrations. Information on Veracode APIs is available in the Veracode Help Center.

The script listed below demonstrates how to add attributes to the Circle CI YAML configuration file, so that the script can run the uploadandscan API, which will enable application uploading from Circle CI to the Veracode Platform, and trigger the Platform to run the application scan.

run: 	     name: "Upload to Veracode" 	     command: java -jar VeracodeJavaAPI.jar  	       -vid $  VERACODE_API_ID  	       -vkey $  VERACODE_API_KEY  	       -action uploadandscan  	       -appname $  VERACODE_APP_NAME  	       -createprofile false  	       -version CircleCI-$  CIRCLE_BUILD_NUM  	       -filepath upload.zip

In this example, we have defined:

Name – YAML workflow name defined in this script

Command – command to run Veracode API. Details on downloading API jar are already provided in the previous step

-vid $ VERACODE_API_ID – user’s Veracode ID access credential

–vkey $ VERACODE_API_KEY – user’s Veracode Key access credential

-action uploadandscan – name of Veracode API invoked by this script

$ VERACODE_APP_NAME – name of customer application targeted for uploading and scanning by the Platform. This application name should be defined identically to the way that it is defined in the application profile on the Veracode Platform

-createprofile false – is a Boolean that defines whether application profile should be automatically created if the veracode_app_name does not find a match for an existing application profile.  

  • If defined as true, application profile will be created automatically if no app_name match is found, and upload and scan steps will continue
  • If defined as false, application profile will not be created, with no further actions for upload and scan

-version CircleCI – $ CIRCLE_BUILD_NUM – version number of the Circle CI tool that the customer is using to run this integration

-filepath upload.zip – location where the application file resides prior to interacting with the Veracode API

With these four steps, Veracode scanning is now integrated into a new CI/CD pipeline.

Integrating application security scanning directly into your build tools enables developers to incorporate security scans directly into their SDLC cycles. Finding software vulnerabilities earlier in the development cycle allows for simpler remediation and more efficient issue resolution, enabling Veracode customers to build more secure software, without compromising on development deadlines.

For additional information on Veracode Integrations, please visit our integrations page.

RSS | Veracode Blog

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you – we provide immediate support for all your needs!

, , , , , , ,
Send us a WhatsApp!