A robust bash script wrapper for Veracode pipeline-scan commands that provides intelligent error analysis, pattern matching, and standardized exit codes for CI/CD integration.
The Veracode Pipeline-Scan Wrapper acts as a command wrapper that:
- Executes any command and displays its output in real-time
- Analyzes command output for specific error patterns when the original command exits with code 255
- Provides standardized exit codes (201-254) for different error categories
- Preserves original exit codes (0-200) when no patterns are matched
- Handles complex commands with spaces and special characters correctly
- Command Wrapping: Wraps any command while preserving argument structure
- Real-time Output: Displays command output as it runs
- Pattern Analysis: Detects specific error patterns in command output
- Standardized Exit Codes: Uses category-based exit codes (201-254) for consistent CI/CD integration
- Space Handling: Properly handles file paths with spaces and special characters
- Configurable Patterns: Easy-to-modify pattern configuration file
- Clone or download the repository
- Make the script executable:
chmod +x pipeline-scan-analyzer.sh
- Ensure
grepwith extended regex support is available - Customize
patterns.confif needed
./pipeline-scan-analyzer.sh [OPTIONS] -- COMMAND [ARGS...]-c, --config FILE: Specify custom patterns configuration file (default:patterns.conf)-v, --verbose: Enable verbose output-d, --dry-run: Show what would be executed without running the command-h, --help: Display help information
# Wrap a simple command
./pipeline-scan-analyzer.sh -- echo "Hello World"
# Wrap a command with file paths containing spaces
./pipeline-scan-analyzer.sh -- java -jar pipeline-scan.jar -f "/path/with spaces/file.war"
# Wrap Veracode pipeline-scan
./pipeline-scan-analyzer.sh -- java -jar pipeline-scan.jar -f "target/app.war"# Use custom patterns file
./pipeline-scan-analyzer.sh -c custom-patterns.conf -- java -jar pipeline-scan.jar -f "app.war"
# Verbose mode
./pipeline-scan-analyzer.sh -v -- java -jar pipeline-scan.jar -f "app.war"The wrapper uses a standardized exit code system to categorize different types of errors:
201:TIMEOUT_DEFAULT- Exceeded default 60-minute limit202:TIMEOUT_USER- Exceeded user-specified timeout value
210:AUTH_INVALID_CREDENTIALS- API ID/key bad or expired, 401 errors211:AUTH_INSUFFICIENT_PERMISSIONS- Token valid but lacks app/scan rights212:ACCOUNT_RATE_LIMIT- Platform throttling, 429 errors
220:NET_DNS- Cannot resolve host, DNS issues221:NET_TLS- SSL/TLS handshake or certificate validation failure222:NET_PROXY- Proxy authentication or connectivity failure
230:CONFIG_INVALID_PARAM- Bad CLI arguments, mutually exclusive flags231:CONFIG_POLICY_REFERENCE_NOT_FOUND- Named policy/ruleset missing232:CONFIG_BASELINE_MISSING- Baseline file path not found or unreadable233:CONFIG_THRESHOLD_CONFLICT- Conflicting --fail_on_* settings
240:PKG_ARTIFACT_NOT_FOUND- Built package/path missing, file not found241:PKG_TOO_LARGE- Exceeds size limit242:PKG_UNSUPPORTED_LANG- No supported files detected for scan type243:PKG_EXCLUDE_RULES_ELIMINATED_ALL- Glob/exclude removed all inputs
250:ENGINE_PARSER_ERROR- Preprocessing/AST parse error prevents analysis251:ENGINE_RULEPACK_INCOMPATIBLE- Ruleset version mismatch252:ENGINE_PARTIAL_SCAN- Scan completed with modules skipped (degraded)253:ENGINE_SCAN_FAILED- General scan or analysis failure254:ENGINE_UNKNOWN_ERROR- Unknown or unexpected engine error
0: Success (PASS: no flaws found under current thresholds)1-200: FAIL: flaws found; value equals flaw count
Patterns are defined in patterns.conf using the format:
CATEGORY_NAME|pattern_regex|exit_code|error_message
AUTH_INVALID_CREDENTIALS|401|210|Authentication failed with HTTP 401 Unauthorized. Please verify your Veracode API credentials are correct and have not expired.
AUTH_INVALID_CREDENTIALS|unauthorized|210|Unauthorized access detected. Please verify your Veracode API credentials are correct and have not expired.
PKG_ARTIFACT_NOT_FOUND|file not found|240|File not found. The specified file could not be located. Please verify the file path and ensure the artifact exists.
ENGINE_PARSER_ERROR|parse error|250|Parser error detected. The Veracode engine encountered an error while parsing the code. This may indicate syntax issues or unsupported code constructs.
The fourth field contains a detailed error message that will be displayed in the analysis summary when a pattern is matched. These messages provide:
- Clear description of the issue
- Specific guidance on how to resolve the problem
- Context about what the error means
- Recommended next steps
- Command Execution: The wrapper executes the provided command and captures its output
- Exit Code Analysis:
- If original exit code is 0-200: preserved (flaw count or success)
- If original exit code is 255: triggers pattern analysis
- Pattern Matching: Searches command output for configured patterns
- Exit Code Determination:
- Uses original exit code if no patterns match
- Uses logical exit code from pattern matching if patterns are found
- Output Display: Shows command output, analysis summary with detailed error messages, and final exit code
When a pattern is matched, the wrapper displays a comprehensive analysis summary:
----------------------------------------
[WRAPPER] INFO: ANALYSIS SUMMARY
----------------------------------------
Original command exit code: 0
Pattern matched: AUTH_INVALID_CREDENTIALS
Pattern regex: invalid.*credential
Match count: 1
Logical exit code: 210
Error message: Invalid API credentials detected. Please verify your Veracode API ID and API Key are correct and have not expired. Check your credentials in the Veracode platform and update your configuration.
Reason: Pattern 'AUTH_INVALID_CREDENTIALS' found in command output
----------------------------------------
The summary includes:
- Original command exit code: The exit code from the wrapped command
- Pattern matched: The name of the matched pattern
- Pattern regex: The regular expression that matched
- Match count: Number of times the pattern was found
- Logical exit code: The standardized exit code (201-254)
- Error message: Detailed explanation and guidance
- Reason: Brief explanation of why this exit code was chosen
The wrapper is designed for seamless CI/CD integration:
# GitHub Actions Example
- name: Run Veracode Scan
run: |
./pipeline-scan-analyzer.sh -- java -jar pipeline-scan.jar -f "target/app.war"
- name: Handle Scan Results
run: |
case $? in
0) echo "Scan passed - no flaws found" ;;
1-200) echo "Scan failed - found $? flaws" ;;
201-254) echo "Scan failed - error category: $?" ;;
esac# GitLab CI Example
veracode_scan:
script:
- ./pipeline-scan-analyzer.sh -- java -jar pipeline-scan.jar -f "target/app.war"
after_script:
- |
case $? in
0) echo "Scan passed - no flaws found" ;;
1-200) echo "Scan failed - found $? flaws" ;;
201-254) echo "Scan failed - error category: $?" ;;
esac- Bash: Version 4.0 or higher
- grep: With extended regex support (
grep -E) - Unix-like environment: Linux, macOS, or WSL
-
"grep with extended regex support (-E) is required"
- Ensure
grep -Eis available and functional - Test with:
echo "test" | grep -E "test"
- Ensure
-
Command arguments with spaces not working
- Use quotes around arguments:
"/path/with spaces/file.war" - The wrapper automatically handles proper quoting
- Use quotes around arguments:
-
Patterns not matching
- Check regex syntax in
patterns.conf - Use verbose mode (
-v) to see detailed output - Ensure patterns are specific enough to avoid false positives
- Check regex syntax in
Enable verbose output to troubleshoot issues:
./pipeline-scan-analyzer.sh -v -- your-command- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
For issues and questions:
- Check the troubleshooting section
- Review the pattern configuration
- Enable verbose mode for debugging
- Open an issue with detailed error information