forked from veracode/verademo
-
Notifications
You must be signed in to change notification settings - Fork 9
/
bitbucket_pipelines.yml
105 lines (86 loc) · 5.59 KB
/
bitbucket_pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# This is an example pipeline configuration for Veracode SAST and Agent Based Scan SCA
# Requires environment variables to be set:
# VERACODE_ID - Veracode API ID, see https://docs.veracode.com/r/t_create_api_creds
# VERACODE_KEY - Veracode API Key, see https://docs.veracode.com/r/t_create_api_creds
# SRCCLR_API_TOKEN - activation token for SCA Agent, see https://docs.veracode.com/r/t_sc_bitbucket_token
image: maven:3.3.9
pipelines:
branches:
master:
# - First build your project
- step:
name: 'maven'
script:
- mvn compile package
artifacts:
paths:
- target/verademo.war
# - Here we are running a Veracode Software Composition Analysis Agent-Based Scan
# - First we are invoking the Veracode SCA Agent-Based Scanner.
# - Next, we are running it directly against this repository.
# - You will need to leverage a Veracode SCA Agent token in order to authenticate the SCA Agent for a successful scan.
# - Results will be output into the console output as well as uploaded to the Veracode Platform.
# - You can find additional information about our SCA Agent-Based Scan here: https://help.veracode.com/r/c_SC_platform
- step:
name: 'Veracode Agent Based SCA Scan'
script:
- curl -sSL https://download.sourceclear.com/ci.sh | sh
- step:
name: 'development-upload-for-sast'
script:
- wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -O veracodeJavaAPI.jar
- java -jar veracodeJavaAPI.jar -vid ${VERACODE_ID} -vkey ${VERACODE_KEY}
-action UploadAndScan -appname "Verademo_bitbucket" -createprofile true -autoscan true -sandboxname "bitbucket-development" -createsandbox true
-filepath ./target/verademo.war -version "Job ${BITBUCKET_BUILD_NUMBER} in ${BITBUCKET_PROJECT_KEY}"
# allow_failure: true
- step:
name: 'release-upload-for-sast'
script:
- wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -O veracodeJavaAPI.jar
- java -jar veracodeJavaAPI.jar -vid ${VERACODE_ID} -vkey ${VERACODE_KEY}
-action UploadAndScan -appname "Verademo_bitbucket" -createprofile true -autoscan true -sandboxname "bitbucket-release" -createsandbox true
-filepath ./target/verademo.war -version "Job ${BITBUCKET_BUILD_NUMBER} in ${BITBUCKET_PROJECT_KEY}"
# allow_failure: true
- step:
name: 'policy-upload-for-sast'
script:
- wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -O veracodeJavaAPI.jar
- java -jar veracodeJavaAPI.jar -vid ${VERACODE_ID} -vkey ${VERACODE_KEY}
-action UploadAndScan -appname "Verademo_bitbucket" -createprofile true -autoscan true
-filepath ./target/verademo.war -version "Job ${BITBUCKET_BUILD_NUMBER} in ${BITBUCKET_PROJECT_KEY}"
# - optionally waith for the scan to complete
# -scantimeout 15
feature/*:
# - First build your project
- step:
name: 'maven'
script:
- mvn compile package
artifacts:
paths:
- target/verademo.war
# - Here we are running a Veracode Software Composition Analysis Agent-Based Scan
# - First we are invoking the Veracode SCA Agent-Based Scanner.
# - Next, we are running it directly against this repository.
# - You will need to leverage a Veracode SCA Agent token in order to authenticate the SCA Agent for a successful scan.
# - Set this token in the repository or account level as an environment variable named SRCCLR_API_TOKEN.
# - Results will be output into the console output as well as uploaded to the Veracode Platform.
# - You can find additional information about our SCA Agent-Based Scan here: https://help.veracode.com/r/c_SC_platform
- step:
name: 'Veracode Agent Based SCA Scan'
script:
- curl -sSL https://download.sourceclear.com/ci.sh | sh
# - Here we are running a Veracode Static Analysis Pipeline Scan
- step:
name: 'Veracode Pipeline Scan'
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar -f target/verademo.war -vid ${VERACODE_ID} -vkey ${VERACODE_KEY} --fail_on_severity="Very High, High" --fail_on_cwe="80" --issue_details true
# - First we are downloading the latest Pipeline Scanner, and extracting and running it.
# - Next, we have are calling our API Credentials, pointing the scanner at the artifact we wish to scan, and then have our failure parameters in place.
# - If you wish to utilize Baseline File, you would add that as another line to point that at your baseline.json file which would sit in this repository.
# - For our Pipeline Scan, we have set our allow_failure to FALSE by default.
# - This is in order to break the build if we find flaws that violate our failure parameters.
# - Results will be output into the console output.
# - You can find additional information about our Static Pipeline Scan here: https://help.veracode.com/r/c_about_pipeline_scan