Skip to main content

Agent scan directives

scan_collectors

By default, Veracode SCA agents find all supported build tools and package managers in the directory specified by the scan command, or the current directory for CI scans. You can use scan_collectors to specify which build tools and package managers to use. The possible values for scan_collectors are:

LanguageCollector
Java
  • maven
  • gradle
  • ant
  • jar
  • "Maven Native Dep"
  • "Gradle Native Dep"
Scala
  • sbt
  • "sbt coursier"
Go
  • glide
  • "go get"
  • "go mod"
  • godep
  • dep
  • govendor
  • trash
Python
  • pip
  • pipenv
JavaScript
  • bower
  • yarn
  • npm
Objective-Ccocoapods
Rubygem
PHPcomposer
C/C++
  • makefile
  • sofile
C#/.NET
  • msbuilddotnet
  • dll

When you run the SCA agent with the --quick option, the possible values for scan_collectors are:

LanguageCollector
Java"jar quickscan"
Scala"jar quickscan"
Go
  • "glide quickscan"
  • "godeps quickscan"
  • "dep quickscan"
  • "go mod quickscan"
  • "govendor quickscan"
  • "trash quickscan"
Python"pipfile.lock quickscan"
JavaScript
  • "bower quickscan"
  • "yarn quickscan"
  • "npm quickscan"
  • "node_modules quickscan"
Objective-C"podfile.lock quickscan"
Ruby"gemfile.lock quickscan"
PHP"composer quickscan"
C/C++"sofile quickscan"
C#/.NET
  • "dotnet quickscan"
  • "dll quickscan"

Example:

scan_collectors: "gem, maven"

skip_collectors

By default, Veracode SCA agents find all supported build tools and package managers in the directory specified by the scan command, or the current directory for CI scans. You can use skip_collectors to specify which build tools and package managers to ignore when running a scan. The possible values for skip_collectors are:

LanguageCollector
Java
  • maven
  • gradle
  • ant
  • jar
  • "Maven Native Dep"
  • "Gradle Native Dep"
Scala
  • sbt
  • "sbt coursier"
Go
  • glide
  • "go get"
  • "go mod"
  • godep
  • dep
  • govendor
  • trash
Python
  • pip
  • pipenv
JavaScript
  • bower
  • yarn
  • npm
Objective-Ccocoapods
Rubygem
PHPcomposer
C/C++
  • makefile
  • sofile
C#/.NET
  • msbuilddotnet
  • dll

When you run the SCA agent with the --quick option, the possible values for skip_collectors are:

LanguageCollector
Java"jar quickscan"
Scala"jar quickscan"
Go
  • "glide quickscan"
  • "godeps quickscan"
  • "dep quickscan"
  • "go mod quickscan"
  • "govendor quickscan"
  • "trash quickscan"
Python"pipfile.lock quickscan"
JavaScript
  • "bower quickscan"
  • "yarn quickscan"
  • "npm quickscan"
  • "node_modules quickscan"
Objective-C"podfile.lock quickscan"
Ruby"gemfile.lock quickscan"
PHP"composer quickscan"
C/C++"sofile quickscan"
C#/.NET
  • "dotnet quickscan"
  • "dll quickscan"

Example:

skip_collectors: "godep,govendor,go get"
note

If you include a comma-separated list with the skip_collectors command using PowerShell, you must enclose the string in quotation marks to avoid errors.

scan_analyzers

In container scans, Veracode SCA agents find all supported build tools and package managers in the directory specified by the scan command or the current directory for CI scans, by default. You can use scan_analyzers to specify which build tools and package managers to use. The possible values for scan_analyzers are:

AnalyzerPackage ManagerLanguage/Distribution
yumyumCentOS, RHEL
gemgemRuby
pip2pip2Python 2
pip3pip3Python 3
npmNPMJavaScript
apkapkAlpine
aptaptDebian, Ubuntu

Example:

scan_analyzers: "apk, yum"

skip_analyzers

In container scans, Veracode SCA agents find all supported build tools and package managers in the directory specified by the scan command or the current directory for CI scans, by default. You can use skip_analyzers to specify which build tools and package managers to ignore when running a scan. The possible values for skip_analyzers are:

AnalyzerPackage ManagerLanguage/Distribution
yumyumCentOS, RHEL
gemgemRuby
pip2pip2Python 2
pip3pip3Python 3
npmNPMJavaScript
apkapkAlpine
aptaptDebian, Ubuntu

Example:

skip_analyzers: "apk, yum"

vuln_methods_ignored_directories

A comma-separated list of directories that you want Veracode to ignore during a vulnerable method analysis. This directive overrides the default directories.

Example:

vuln_methods_ignored_directories: doc

vuln_methods_extra_ignored_directories

A comma-separated list of directories that adds to the default per-language set that the agent ignores during a vulnerable method analysis.

vuln_methods_extra_ignored_directories: "doc, test"

Default values:

  • Ruby: test
  • Java: test
  • Python: test, tests, doc, docs, bin, .virtualenv, env, venv

ssl_cert_dir

A filepath that specifies the directories that contain X.509 certificates that the Veracode SCA agent should trust in addition to the certificates present in the Java Runtime Environment (JRE) or stored in your operating system. If you enter multiple directories, separate the filepaths with the correct path separator for your operating system. For example, use a colon (:) for Linux and macOS.

Default value: the certificate location directory specified in the Java Virtual Machine (JVM).

Example:

ssl_cert_dir: C:\path\to\certificate\directory

ssl_cert_file

A filepath that specifies the X.509 certificates that the Veracode SCA agent should trust in addition to the certificates present in the JRE or stored in your operating system. If you enter multiple files, separate the filepaths with the correct path separator for your operating system. For example, use a colon (:) for Linux and macOS. If specified, this value overrides the ssl_cert_dir directive.

Default value: the certificate location specified in the JVM.

Example:

ssl_cert_file: C:\path\to\certificate\example_cert.cer

scope

For scope options, see Multi-Language Scan Directives.