I'm running a Github Action with a step that runs a code scanning utility called veracode (see docs). One of the parameters references a file (containing known, excluded issues) that I know is in the directory but seems not to be found.
This is the output from the step (note the md5sum which outputs the right value):
Run pwd
pwd**m
ls -l**m
md5sum veracode-baseline.json**m
./veracode static scan scan-me.zip --app-id 123 --baseline-file veracode-baseline.json**m
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {***}
env:
...
VERACODE_APP_ID: 123
VERACODE_API_KEY_ID: ***
VERACODE_API_KEY_SECRET: ***
...
/home/runner/work/my-repo/my-repo
total 128424
-rw-rw-rw- 1 root root 19***6 Mar 4 16:37 LICENSE
-rw-r--r-- 1 runner docker 1355 Mar 5 22:29 Notes.md
-rw-rw-rw- 1 root root 897 Mar 4 16:37 README
-rw-r--r-- 1 runner docker 499 Mar 5 22:29 README.md
...
-rw-r--r-- 1 runner docker 8381***4*** Mar 5 22:32 scan-me.zip
...
-rwxr-xr-x 1 root root 122728448 Mar 4 16:44 veracode
-rw-r--r-- 1 runner docker 327389 Mar 5 22:29 veracode-baseline.json
c4c4f61f4d586a24ab***73***751b8d8e63 veracode-baseline.json
----------------------------------------------------------------
Veracode Static Analysis Scan
...
The result of this step is the same as if the file did not exist. I can run the same command on my workstation successfully.
Why does the analysis ignore the baseline file?
After contacting Veracode support (issue 00842308) I understand I am supposed to be using either:
They did not answer my question about why my approach was not working.
Also, Github Workflow Integration doesn't have a baseline feature and requires Github org-level setup that isn't available to me (inside a large organization). So I'll try Pipeline Scan instead.