Goal: Provide a command-line tool to use in NPM scripts for triggering Veracode scans in a CI/CD setting.
Prerequisites
- Have
VERA_IDandVERA_KEYenvironment variables defined with valid Veracode API Credentials
Setup in NPM Project
-
Install as a dev dependency
npm i -D veracode-ci
-
In the
scriptsblock of your package.json, add a veracode script{ ... "scripts": { ... "veracode": "veracode --sandbox --appName=<your-veracode-app-name>" }, ... } -
Run the veracode script
npm run veracode
Additionally, you can specify your own excludes. By default, this package zips up everything in the current-working-directory of your project (where the package.json is) excluding the node_modules folder. You can overwrite this excludes by adding a comma-delimited value like so:
veracode --sandbox --appName=<your-veracode-app-name> --excludes='node_modules/**/*,lib/**/*'| FLAG | VALUE | DESCRIPTION |
|---|---|---|
sandbox |
none | Trigger a veracode scan in a sandbox under a provided (existing) app |
excludes |
comma-delimited string | Override what folders/files are excluded from the project for scanning. Defaults to node_modules/**/*. |
appId |
integer | Veracode App ID to run the scans under. Must have appId OR appName specified |
appName |
string | Veracode App Name to run the scans under. Must have appId OR appName specified |
scanAllNonfatalTopLevelModules |
true or false | See Veracode doc for beginprescan.do |
autoScan |
true or false | See Veracode doc for beginprescan.do |