This action runs the Veracode Java Wrapper's 'upload and scan' action.
Required: The application name.
Default: '${{ github.repository }}'
Required: True to create a new application profile.
Default: true
Required: Filepath or folderpath of the file or directory to upload. (If the last character is a backslash it needs to be escaped: \\).
Required: The name or version number of the new build.
Default: 'Scan from Github job: ${{ github.run_id }}'
Required: Veracode API ID.
Required: Veracode API key.
Optional: If you would rather send your scan to a sandbox.
Optional: Enable scanning this project with the srcclr agent. Currently only validated support for python Default: false
Optional: Token for access to srcclr. Only used when srcclr = true.
The following example will upload all files contained within the folder_to_upload to Veracode and start a static scan.
The veracode credentials are read from github secrets. NEVER STORE YOUR SECRETS IN THE REPOSITORY.
- uses: actions/setup-java@v1 # Make java accessible on path so the uploadandscan action can run.
with:
java-version: '8'
- uses: actions/upload-artifact@v2 # Copy files from repository to docker container so the next uploadandscan action can access them.
with:
path: folder_to_upload/*.jar # Wildcards can be used to filter the files copied into the container. See: https://github.com/actions/upload-artifact
- uses: actions/veracode-uploadandscan-action@master # Run the uploadandscan action. Inputs are described above.
with:
filepath: 'folder_to_upload/'
vid: '${{ secrets.VERACODE_ID }}'
vkey: '${{ secrets.VERACODE_KEY }}'
srcclrtoken: '${{ secrets.SRCCLR_API_TOKEN }}'
sandboxname: sandbox_to_send_scan
srcclr: true