How to integrate Veracode scanner as a pre-commit hook for git working repository? How can we check weather the scanner is actually running?
You can create a GitHub Action about Veracode static scan analysis. To do this you can follow the steps below:
In the Security tab of your GitHub project (you need to have admin rights for the GitHub project), click on "Enable settings" for "Code
scanning alerts".
This takes you to the Settings of the project, where you need to “Enable” “GitHub Advanced Security” for “Code scanning”,
and then click the “Go to code scanning” button that will be enabled.
Scrolling down on the list appearing with multiple code scanning tools, you pick “Veracode Static Analysis” (usually appearing on the bottom of the page).
Clicking to “Set up this workflow”, automatically creates a subdirectory in master branch in .github/workflows path. The workflow is configured in a .yml file, that contains the steps of the pipeline.
Prerequisite: you need to set up Veracode API Keys as Project Secrets (have a look here Create Veracode API keys and here
setup GitHub Action Secrets for Repository. Name your API Keys as VERACODE_API_ID and VERACODE_API_KEY (as these are the names that are set in .yml file or change them accordingly in both locations)
In the .yml file that got created automatically there is a pipeline that runs according to the rules set on the line where it says
you can have a look at this link for more information on push/pull request branches/tags
branch names can be altered, following regular expressions as well, see here for more info.
You can configure the Action to run on schedule as well.
Hover over “cron” to see the man-read format that appears. With this, the Action will run according to cron. Scheduled workflows run on the latest commit on the default or base branch.
Find more information on how to configure scheduled events on GitHub Actions here
In the Actions tab of your Project you can now see the logs of the run of the pipeline and each run's status.
After you have set up the GitHub Action as described above (steps 1-8), and the Action has run well (check its status as described in step 9) in the Security tab of your GitHub project, you should be able to see that "Code scanning alerts" are "Active", click on "View alerts", that takes you to the list of the Veracode flaws if any.
Related
The Save/Apply button is missing from Jenkins pipeline configuration page. There seems to be no other way to apply changes to the configuration settings. I am unable to find any useful answers or workarounds as well. I have tried several Javascript workarounds, reinstallation, uninstalled plugins that generated warnings, and stuff but nothing seems to be working. I am using Jenkins version 2.222.3 with BlueOcean.
It would be a great help if anyone can suggest a solution.
Jenkins Pipeline configuration is defined in Jenkins Pipeline (e.g. Jenkinsfile). To change your configuration, you need to edit your Jenkinsfile.
E.g. to change "Build periodically", here's an example of edit you need to do:
pipeline {
triggers {
cron('* * * * *') // run every minute
This is why the page you're looking at is called "View Configuration" — it is for viewing only.
Using the GitHub plugin, we have an organization folder that is scanned for any repositories that contain a Jenkinsfile. The configuration you are viewing is driven by a config.xml that is copied from the organization folder into each job that runs in a repo. So you want your changes to affect jobs/my_organization/config.xml, not jobs/my_organization/jobs/my_repo/config.xml.
In the UI this is accomplished by going up a level or two from the job or job run. There you will see the link change from "View Configuration" to "Configure".
I have a Jenkins pipeline that I have setup with a project I have on GitHub. Initially, I manually initiated a build each time I changed my code by clicking the "Build Now" option. However, I did two things to make my process easier:
I setup a GitHub hook to run the build I defined in my Jenkinsfile after each push to my master branch
I setup a periodic build to build every hour
I left my Jenkins for a day, came back, and everything, even from the dashboard, looks different.
For example:
My dashboard used to have these options:
New Item
People
Build History
Project Relationship
Check File Fingerprint
Manage Jenkins
My Views
Lockable Resources
Credentials
New View
The current dashboard only has three of those options:
People
Build History
Credentials
Also, when I clicked on my pipeline, the options I had were:
Status
Changes
Build Now
Delete Pipeline
Configure
Full Stage View
Rename
Pipeline Syntax
Whereas now, they are:
Status
Full Stage View
GitHub Hook Log
Git Polling Log
How can I change my configurations/settings to see the pages the way I saw them before? It seems I can't create any new items or change my current pipeline, which are things I may need to do in the future.
It turns out I wasn't logged in. I didn't think the initial pages would even show up if I hadn't been logged in, so I didn't even consider it to be a possibility. I logged in and all my issues were resolved.
I am trying to link or associate an external application url to jenkins job build.
So for every builds, this link or url should be available at the left side and any user can simply click on it to launch the external application.
So far I explored the following plugins for this:
https://wiki.jenkins.io/display/JENKINS/Associated+Files+Plugin - this associates a file or directory to the build , something similar to the html publisher plugin... not a url
https://wiki.jenkins.io/display/JENKINS/DocLinks+Plugin - similar to above , associate a doc from the build artifact directories
https://wiki.jenkins.io/pages/viewpage.action?pageId=52298023 - this Side bar link plugin can associate a external link to the jenkin project, but not to every builds
for me the external link which I am trying to associate to the build , dynamically changes for each build , basically some of the query parameter in the external link, so it's critical to associate it to every builds for tracking and other purposes . ex: the external link will be a like a small web app
http:hostnamexxx:port/somepage?para1=xxx¶2=yyyy
Please let me know if there is any plugin for this specific purpose or any other ideas
This would be the Anchor Chain plugin. I've played around with it a bit:
The docs state that the icon can be omitted. Then however you need to insert a tab character after the URL.
When inserting a link to an icon, it is always relative to Jenkins base URL.
I have Gitlab CE version 8.3 which is integrated with Jira. I am an admin user for Gitlab & have admin rights to the project in Jira. While pushing any commit to Gitlab with reference to issue id of jira creates successful link for it but no comments get posted from gitlab to jira. What could be the issue here?
My configurations also seem to be correct since the link between jira & gitlab is fine.
There's usually one more step you need to deal with in GitLab config, and that's setting appropriate "JIRA issue transition" value (which will trigger these comments).
In case you use custom workflows (but even if you don't) you need to double check whether value for "JIRA issue transition" specified under Gitlab's Services (Settings > Services > JIRA) matches transition ID in your JIRA workflow (take a look at this).
More info is available here.
"It is the ID of a transition that moves issues to a closed state. You can find this number under the JIRA workflow administration (Administration > Issues > Workflows) by selecting View under Operations of the desired workflow of your project. The ID of each state can be found inside the parenthesis of each transition name under the Transitions (id) column (see screenshot). By default, this ID is set to 2."
A project repository has been successfully connected to a Jenkins server using the BitBucket plugin, and a project set up such that:
Each push to a branch in BitBucket will trigger a webhook sent to the Jenkins server
When the Jenkins server receives the webhook it will build the changed branch (by specifying branch name as ** in the config)
After the build is complete a notification is sent back to BitBucket of the build status using the BitBucket notifier
Each of these has been easy to set up with just the instructions in the plugin and a few quick Googles. However I've now run into a problem which is maybe more a matter of wanting to run in an unconventional manner than anything else.
Using the normal emailer plugin or the Email-ext plugin it's possible to set emails to send to people involved in the creation of a build. For example the Email-ext plugin allows choice of:
Requester
Developers (all people who have commits in the build based off its last version)
Recipient list (a pre-set list)
Various "blame" settings for broken builds
The development process being followed involves each project being worked on by one developer in a named branch, e.g. userA/projectB. Obviously other developers could check that out and push to make changes but that's frowned upon. Even in that instance, the user who pushes the change to BitBucket should be notified.
None of the current settings support this. Requester is the closest, but that only works for manual builds. It seems a very simple requirement that the push to SCM that triggered a build should notify the user who pushed, but this is not documented anywhere that is easy to find.
After a lot of searching it seems the only way to accomplish this is by using a Pre-send script. This is added to the Advanced setting of the Email-ext post-build step, and takes the form of code written in Groovy which is a Java extension.
The script can take advantage of Environment variables, but is hard to test as there's no way to run the script with these in place. You can test simple Groovy scripts from Home -> Manage Jenkins -> Script console.
One important "gotcha" with the environment variables is that they are "included" in the script, rather than variables or constants. E.g. before the script compiles and runs, the content of the variable is pasted in place of its $NAME. In the example below the multi-line string syntax is used to include the BitBicket payload, whereas it might be expected that def payload = $BITBUCKET_PAYLOAD would simply work.
import javax.mail.Message.RecipientType
import javax.mail.Address
import javax.mail.internet.InternetAddress
import javax.mail.internet.MimeMessage
import groovy.json.JsonSlurper
def jsonSlurper = new JsonSlurper()
def bitbucket = jsonSlurper.parseText('''
$BITBUCKET_PAYLOAD'''
)
switch (bitbucket.actor.username){
case "userA":
msg.setRecipients(MimeMessage.RecipientType.TO, InternetAddress.parse("user.a#domain.com"));
break;
case "userB":
msg.setRecipients(MimeMessage.RecipientType.TO, InternetAddress.parse("user.b#domain.com"));
break;
}
The setRecipients command overwrites any existing recipient. Thus the recipient list or other email configuration should be set as a fallback for if the user is not recognised. Additionally, if there is nobody selected to send the email to, the script won't run at all. As added debugging, including the username in the body might help.
If the script fails, stack traces should be printed to the console log output of the test, and the build pass/fail shouldn't be affected, but the normal email address setup will be used instead. In stack traces look for lines with Script() in them, as that's the container which evaluates the Groovy script.