-
Notifications
You must be signed in to change notification settings - Fork 12
/
config.yml
120 lines (107 loc) · 3.63 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# ExampleCircleCI pipeline that builds and scans a project using Veracodes Agent Based Scanner, Policy and Pipeline Scans.
version: 2.1
jobs:
build:
docker:
# The primary container is an instance of the first image listed. The job's commands run in this container.
- image: maven:3.6.3-openjdk-8
working_directory: ~/target
steps:
- checkout
# Install and run Maven
#- run:
# name: Install Maven
# command: 'yum -y install maven'
- run:
name: Run Maven
command: 'mvn compile package'
# keep the files around for the scan job
- persist_to_workspace:
root: ./
paths:
- target
- ./
# job to upload to Veracode for scanning
veracode_scan:
# use a java-based image to run the Veracode API wrapper
docker:
- image: signiant/docker-jenkins-centos7-java8:latest
#working_directory: ~/target
steps:
# get the files from the previous job
- attach_workspace:
at: ./
# grab the Veracode agent
- run:
name: "Get the Veracode agent"
command: |
wget https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/$VERACODE_WRAPPER_VERSION/vosp-api-wrappers-java-$VERACODE_WRAPPER_VERSION.jar -O veracode-wrapper.jar
#chmod 755 veracode-wrapper.jar
# upload for scanning
# env vars are used to pass login creds and set the scan name
- run:
name: "Upload to Veracode"
command: java -jar veracode-wrapper.jar
-vid $TEAM_ANALYSISCENTER_ID
-vkey $TEAM_ANALYSISCENTER_KEY
-action uploadandscan
-appname "Verademo_circleci"
-createprofile true
-version CircleCI-$CIRCLE_BUILD_NUM
-filepath ./target/verademo.war
# job to upload to Veracode for Agent Based SCA scanning
abs_scan:
docker:
# specify the version you desire here
#- image: signiant/docker-jenkins-centos7-java8:latest
- image: maven:3.6.3-openjdk-8
#working_directory: ~/repo
steps:
# get the files from the previous job
- attach_workspace:
at: ./
# Install Maven
#- run:
# name: Install Maven
# command: 'yum -y install maven'
# download and run SourceClear scanner
- run:
name: "Veracode Agent Based Scan"
command: |
curl -sSL https://download.sourceclear.com/ci.sh | bash
# job to perform a Veracode Pipeline Scan
pipeline_scan:
docker:
- image: signiant/docker-jenkins-centos7-java8:latest
steps:
# get the files from the previous job
- attach_workspace:
at: ./
# Downlowad the scanner
- run:
name: "Download Veracode Pipeline Scan"
command: |
curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- run:
name: "Unzip Veracode Pipeline Scan"
command: |
unzip pipeline-scan-LATEST.zip
- run:
name: "Run Veracode Pipeline Scan and create a baseline"
command: |
java -jar pipeline-scan.jar -vid $TEAM_ANALYSISCENTER_ID -vkey $TEAM_ANALYSISCENTER_KEY -f ./target/verademo.war --json_output_file="baseline.json" || true
# serial jobs - need to run 'build' before 'scan'
workflows:
version: 2.1
build_and_scan:
jobs:
- build
- pipeline_scan:
requires:
- build
- veracode_scan:
requires:
- build
- abs_scan:
requires:
- build