Post on 10-Jan-2017
transcript
v0.5 (nov 2016)
Veracode Automation CLI
VERACODE AUTOMATION CLI
Why?
▸ Automate Application Security Scans
▸ Embed security scans in CI
▸ Based on Jenkins build pipeline
▸ Leverage central AppSec skills and distributed (one per app) network of Security Champions
VERACODE CLI
VERACODE AUTOMATION CLI
Veracode CLI
▸ Based on existing official REST API
▸ Hosted on GitHub, released under Apache 2.0 license
▸ https://github.com/DinisCruz/veracode-api
▸ Created to improve productivity and to allow easy creation of scan scripts
▸ Provides easy access to apps, scans, builds and results
VERACODE AUTOMATION CLI
List existing applications and builds
VERACODE AUTOMATION CLI
Current scan status
VERACODE AUTOMATION CLI
Create app, upload file, trigger scan, download, delete app
JENKINS INTEGRATION
VERACODE AUTOMATION CLI
Product Jenkins job triggers scan (on code push)
VERACODE AUTOMATION CLI
Simple configuration
VERACODE AUTOMATION CLI
Jenkins job to Download reports
▸ Runs every x minutes (at the moment set to 15m)
VERACODE AUTOMATION CLI
Downloads reports that are ready, deletes app
VERACODE AUTOMATION CLI
Results stored in GitHub (pushed from Jenkins)
CONCURRENT SCANS
VERACODE AUTOMATION CLI
Scans
Thanks