Configure Your Bamboo Repository

Veracode Software Composition Analysis

Bamboo is an on-premise CI system, which means you must install cURL on your server prior to running a Veracode Software Composition Analysis agent-based scan.

You can install cURL using SSH access to your server. After installing the CLI tool, you also need the path to the executable in order to allow Bamboo to run commands. To get the path, access the server via SSH and run the command which curl. This command outputs the path to the curl binary for later use.

To scan with agent-based scanning, you must add post-build steps to your Bamboo plan:

  1. Navigate to the plan where you want to add agent-based scanning.
  2. From the Actions menu, click Configure Plan.
  3. Select the job where your code is built.
  4. In the Tasks section, select Add Task > Script.
  5. Modify the fields as follows:
    1. For Task Description, enter Veracode Agent-Based Scan.
    2. Verify Interpreter is set to Shell.
    3. Verify Script location is set to Inline.
    4. For Script body, enter curl -sSL https://download.sourceclear.com/ci.sh | sh.
    5. Verify Argument is blank.
    6. For Environment variables:
      • If you did not set the SRCCLR_API_TOKEN_PASSWORD at the global or plan levels, enter SRCCLR_API_TOKEN=<token>.
      • If you set the token at the global level, enter: export SRCCLR_API_TOKEN=${bamboo.SRCCLR_API_TOKEN_PASSWORD}.
    7. Verify Working sub directory is blank, unless the configuration file such as the package.json, pom.xml, build.gradle, or requirements.txt is in a subdirectory. If it is in a subdirectory, specify the path to the subdirectory.
  6. Click Save.
  7. Drag the agent-based scan command to the bottom of the task list directly above the final tasks section.
    Final tasks run even if a previous task fails. If you put the scan command before the final task it ensures that unnecessary scan attempts do not occur if the build fails.
The next time this plan is built, Veracode SCA runs an agent-based scan.