Skip to main content

Integrate Veracode SCA agent-based scanning with your CI projects

You can integrate Veracode Software Composition Analysis agent-based scanning into most continuous integration (CI) systems. The integration requires you to create an agent, then add the agent token and scan command to your CI project.

These instructions can apply to most CI systems. Specific instructions are available for Bamboo, Bitbucket, CircleCI, Codeship, GitLab, Jenkins, Travis CI, Gradle, and Maven.

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

Before you begin:

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create.

  5. Select any option from the Integration Options section.

    The option you select does not affect the agent or your scan results.

  6. Select Create Agent & Generate Token.

  7. In your CI project, store your agent token as a secret environment variable called SRCCLR_API_TOKEN.

    See the documentation for your CI system for instructions on setting secret environment variables.

  8. If your Veracode account is in the Commercial Region, skip this step. If your Veracode account is in the European or United States Federal Region, set the SRCCLR_REGION environment variable to one of the following:

    • European Region: ER
    • United States Federal Region: FED
  9. Add this command to your CI project to download the agent and start scanning:

    curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

    For example, in GitLab, add the command after the after_script step in the .gitlab-ci.yml file.

    You can customize this command to enable additional features of agent-based scanning.