Integrate Veracode SCA Agent-Based Scanning with Your CI Projects
You can integrate Veracode Software Composition Analysis agent-based scanning into most continuous integration (CI) systems. The integration requires you to create an agent, then add the agent token and scan command to your CI project.
These instructions can apply to most CI systems. Specific instructions are available for Bamboo, Bitbucket, CircleCI, Codeship, GitLab, Jenkins, Travis CI, Gradle, and Maven.
By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.
Before you begin:
You have the Security Lead, Submitter, Workspace Administrator, or Workspace Editor role.
Your client supports TLS 1.2 or later and one of the following ciphers:
Contact your IT department to confirm your client meets this requirement.
To complete this task:
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
Click the Agent-Based Scan tab.
Select a workspace.
Click Agents > Actions > Create.
Select any option from the Integration Options section.
The option you select does not affect the agent or your scan results.
Click Create Agent & Generate Token.
In your CI project, store your agent token as a secret environment variable called
See the documentation for your CI system for instructions on setting secret environment variables.
If your Veracode account is in the Commercial Region, skip this step. If your Veracode account is in the European or United States Federal Region, set the
SRCCLR_REGIONenvironment variable to one of the following:
- European Region:
- United States Federal Region:
- European Region:
Add this command to your CI project to download the agent and start scanning:
curl -sSL https://download.sourceclear.com/ci.sh | sh
For example, in GitLab, add the command after the
after_scriptstep in the
You can customize this command to enable additional features of agent-based scanning.