Integrate Veracode SCA Agent-Based Scanning with Your CI Projects

Veracode Software Composition Analysis

You can integrate Veracode Software Composition Analysis agent-based scanning into most continuous integration (CI) systems. The integration requires you to create an agent and add the agent token and scan command to your CI project.

You have the Security Lead, Submitter, Workspace Administrator, or Workspace Editor role.

These instructions can apply to most CI systems. Specific instructions are available for Bamboo, Bitbucket, CircleCI, Codeship, GitLab, Jenkins, and Travis CI.

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. Click Agents > Actions > Create.
  5. Select any option from the Integration Options section.
    The option you select does not affect the agent or your scan results.
  6. Click Create Agent & Generate Token.
  7. In your CI project, store your agent token as a secret environment variable called SRCCLR_API_TOKEN.
    See the documentation for your CI system for instructions on setting secret environment variables.
  8. Add this command to your CI project to download the agent and start scanning:
    curl -sSL https://download.sourceclear.com/ci.sh | sh
    For example, in GitLab, add the command after the after_script step in the .gitlab-ci.yml file.
    You can customize this command to enable additional features of agent-based scanning.