veracode-ci

Veracode client for triggering scans in Continuous Integration

Usage no npm install needed!

<script type="module">
  import veracodeCi from 'https://cdn.skypack.dev/veracode-ci';
</script>

README

Gitpod Ready-to-Code

Veracode CI

Goal: Provide a command-line tool to use in NPM scripts for triggering Veracode scans in a CI/CD setting.

Usage

Prerequisites

  • Have VERA_ID and VERA_KEY environment variables defined with valid Veracode API Credentials

Setup in NPM Project

  1. Install as a dev dependency

    npm i -D veracode-ci
    
  2. In the scripts block of your package.json, add a veracode script

    {
        ...
        "scripts": {
            ...
            "veracode": "veracode --sandbox --appName=<your-veracode-app-name>"
        },
        ...
    }
    
  3. Run the veracode script

    npm run veracode
    

Excluding Folders/Files

Additionally, you can specify your own excludes. By default, this package zips up everything in the current-working-directory of your project (where the package.json is) excluding the node_modules folder. You can overwrite this excludes by adding a comma-delimited value like so:

veracode --sandbox --appName=<your-veracode-app-name> --excludes='node_modules/**/*,lib/**/*'

Command-line Options

FLAG VALUE DESCRIPTION
sandbox none Trigger a veracode scan in a sandbox under a provided (existing) app
excludes comma-delimited string Override what folders/files are excluded from the project for scanning. Defaults to node_modules/**/*.
appId integer Veracode App ID to run the scans under. Must have appId OR appName specified
appName string Veracode App Name to run the scans under. Must have appId OR appName specified
scanAllNonfatalTopLevelModules true or false See Veracode doc for beginprescan.do
autoScan true or false See Veracode doc for beginprescan.do

Useful Resources