Skip to main content

Integrate agents with your repos

You can integrate SCA Agent-based Scan into most continuous integration (CI) systems. The integration requires you to create an agent, then add the agent token and scan command to your CI project.

SCA Agent-based Scan integrates into the build process to prevent the delivery of insecure software to production. It easily integrates with your continuous delivery workflow.

This section provides instructions for certain CI tools, but they apply to most CI systems.

Ensure your repositories have the supported languages and package managers.

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

Before you begin:

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create.

  5. Select any option from the Integration Options section. The option you select does not affect the agent or your scan results.

  6. Select Create Agent & Generate Token.

  7. In your CI project, store your agent token as a secret environment variable called SRCCLR_API_TOKEN. See the documentation for your CI system for instructions on setting secret environment variables.

  8. If your Veracode account is in the Commercial region, skip this step. If your Veracode account is in the European or United States Federal Region, set the SRCCLR_REGION environment variable to one of the following:

    • European Region: ER
    • United States Federal Region: FED

  9. Add this command to your CI project to download the agent and start scanning:

    curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

    For example, in GitLab, add the command after the after_script step in the .gitlab-ci.yml file.

    You can customize this command to enable additional scanning features.

Atlassian Bamboo

You can set the SCA agent API token environment variable on an individual plan basis or globally within your Bamboo environment. You can also set the environment variable when you create the script command in your Bamboo task instead of setting it at the plan or global levels.

Requirements

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.

Create an authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, see invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Atlassian Bamboo.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Create a global variable

To complete this task:

  1. Sign in to the Bamboo web interface and go to your Bamboo environment.
  2. To open the Global Variables page, select the settings gear from the top-right corner, then select Global Variables.
  3. For Variable Name, enter SRCCLR_API_TOKEN_PASSWORD. Appending PASSWORD to the variable name prevents the value from being exposed.
  4. For Value, paste the API token you copied when you created the token.
  5. Select Add.

Create a plan variable

To complete this task:

  1. In Bamboo, select Dashboard > All Plans.
  2. Select the plan you want to edit.
  3. Select Actions > Configure Plan.
  4. Select Variables.
  5. For Variable name, enter SRCCLR_API_TOKEN_PASSWORD.
  6. For Value, paste the API token you copied when you created the token.
  7. To save and set the plan variable, select Add.

Configure your repos

Because Bamboo is an on-premise CI system, you must install cURL on your server before you can run a Veracode Software Composition Analysis (SCA) agent-based scan.

You can install cURL using SSH access to your server. After installing the CLI tool, you also need the path to the executable in order to allow Bamboo to run commands. To get the path, access the server via SSH and run the command which curl. This command outputs the path to the curl binary for later use.

To complete this task:

  1. In Bamboo, navigate to the plan where you want to add scanning.
  2. Select Actions > Configure Plan.
  3. Select the job that builds your code.
  4. In the Tasks section, select Add Task > Script.
  5. Edit the following fields: a. For Task Description, enter Veracode Agent-Based Scan. b. Ensure that Interpreter is set to Shell. c. Ensure that Script location is set to Inline. d. For Script body, enter curl -sSL https://sca-downloads.veracode.com/ci.sh | sh. e. Ensure that Argument is blank. f. For Environment variables:
    • If you did not set the SRCCLR_API_TOKEN_PASSWORD at the global or plan levels, enter SRCCLR_API_TOKEN={token}.
    • If you set the token at the global level, enter export SRCCLR_API_TOKEN=${bamboo.SRCCLR_API_TOKEN_PASSWORD}. g. Ensure that Working subdirectory is blank. If the project configuration file, such as package.json, pom.xml, build.gradle, or requirements.txt, is in a subdirectory, enter the path to the subdirectory.
  6. Select Save.
  7. To prevent unnecessary scan attempts if the build fails, drag the agent-based scan command to the bottom of the task list directly above the final tasks section.

Results:

The next time you build this plan, Veracode SCA scans your code.

Atlassian Bitbucket

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Bitbucket Pipelines.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your environment variable

You can set the environment variable for scanning at either the account or repository levels.

To complete this task:

  1. In Bitbucket, go to Account > Bitbucket Settings.
  2. Select an individual account or a team for which you want to configure variables.
  3. From the left navigation, select Pipelines > Environment variables.
  4. For Type variable, enter SRCCLR_API_TOKEN.
  5. For Type value, paste your API token.
  6. Verify the Secured checkbox is selected.
  7. Select Add.

Configure a repository environment variable

Environment variables added on the repository level can be accessed by any users with the push permission in the repository. You can set a repository environment variable to perform scans on each new build.

To complete this task:

  1. In Bitbucket, go to the repository you want to scan and select Settings > Pipelines > Environment variables.
  2. For Type variable, enter SRCCLR_API_TOKEN.
  3. For Type value, paste your API token.
  4. Verify the Secured checkbox is selected.
  5. Select Add.

Configure your repos

To scan your repos, add the following YAML to the last default configuration script command in the bitbucket-pipelines.yml file:

 pipelines:
  default:
    - step:
        script:
            - curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

Commit these changes to trigger a build for your repository, and Veracode SCA performs a scan and displays results to your environment.

If you want to scan other repositories, add the installation code above to any bitbucket-pipelines.yml files you want.

After you add the SRCCLR_API_TOKEN environment variable, you can perform scans on each new build.

CircleCI

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Circle CI.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your environment variable

You can set an environment variable for each repository you want to scan.

To complete this task:

  1. Select the repository where you want to scan your CircleCI environment.
  2. Go to Project Settings > Environment Variables.
  3. Select Add Variable.
  4. For Name, enter SRCCLR_API_TOKEN.
  5. For Value, enter your agent token value.
  6. Verify the Display value in build log is set to OFF to ensure your token is hidden.
  7. Select Add Variable.

Codeship Basic and Pro

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Codeship.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your repos

To complete this task:

  1. In Codeship, go to the project you want to scan.

  2. Select Project Settings > Testing.

  3. In the test pipelines commands, enter the following code after your build commands:

    curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

  4. Commit these changes to trigger a build for your repository.

Results:

Veracode SCA performs a scan and displays results to your environment.

Next steps:

If you want to scan other repositories, add the installation and scan code above to any test pipelines you want. After you add the SRCCLR_API_TOKEN environment variable, you can perform scans on each new build.

Configure your project

Before you begin:

Generate an Advanced Encryption Standard (AES) key and place the key in a codeship.aes file in the root of your project directory. Read additional documentation on generating an AES key.

To complete this task:

  1. Edit the text file containing your environment variables, which you encrypt prior to committing your code.

  2. Add the SRCCLR_API_TOKEN to the file and set it to the authentication token you generated above.

  3. Save the environment variable file.

  4. Encrypt the environment variables using Jet CLI. A file is generated, called env.encrypted in this example, with the encrypted environment variables jet encrypt env env.encrypted

  5. Before you commit your code, add the env file to your .gitignore, or delete the file after you create it.

  6. Edit the codeship-services.yml file, and use the encrypted_env_file directive to add your encrypted environment variables from the env.encrypted file to your build process:

    app: build: image: myorg/appname dockerfile_path: Dockerfile encrypted_env_file: env.encrypted

  7. To scan in your project, edit the codeship-steps.yml file and add this step after your build step:

    - name: sourceclear
      service: app
      command:  sh -c "curl -sSL https://sca-downloads.veracode.com/ci.sh | sh”

  8. Commit the changes to your repository.

Results:

The next time you run your build through Codeship Pro, Veracode SCA performs an agent-based scan of your repository. For details on configuring your Codeship Pro project, see the Codeship Pro documentation.

GitLab

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Bitbucket Pipelines. The installation process for GitLab CI mirrors the Bitbucket Pipelines installation process for SCA Agent-based Scan.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your environment variable

Setting an environment variable in GitLab CI occurs on a per-repository basis. This example demonstrates how to create a variable for your API token.

To complete this task:

  1. In your GitLab environment, select the project you want to scan.
  2. Go to Settings > CI/CD.
  3. Select Expand in the Variables section.
  4. For Key, enter SRCCLR_API_TOKEN.
  5. For Value, enter your Veracode SCA API token.
  6. Select the State and Masked values you want for your variable. We recommend masking the variable and, if you use protected variables, protecting it.
  7. Select Save variables.

Next steps:

You can create an environment variable for your project URL to allow the enabling of automatic pull requests.

Configure your repos

To complete this task:

  1. To add scanning to your repos, add the following to the after_script step in your .gitlab-ci.yml file:

    after_script:
        - curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

  2. Commit the change to start a build for your repository and run an SCA scan.

Next steps:

If you want to scan other repositories, add the installation and scan code above, along with the SRCCLR_API_TOKEN environment variable, to any .gitlab-ci.yml files you want to scan. Then you can perform scans on each new build.

Jenkins/Hudson (Shell)

Install the Credentials Binding Plugin

To integrate Veracode Software Composition Analysis with Jenkins securely, install the Credentials Binding Plugin for binding your API token to the environment variable for the Veracode SCA API token.

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Jenkins/Hudson.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Bind your Jenkins environment variable

To complete this task:

  1. In Jenkins, go to Credentials > Jenkins > Global credentials > Add credentials.
  2. From the Kind dropdown list, select Secret text.
  3. From the Scope dropdown list, select Global.
  4. In the Secret field, enter your Veracode SCA API token.
  5. In the ID field, enter SRCCLR_API_TOKEN.
  6. Select OK.

Configure your Jenkins job for scanning

To complete this task:

  1. In Jenkins, select the job you want to scan.

  2. Select Configure.

  3. Select Build Environment.

  4. Select Use secret text(s) or file(s).

  5. Under Bindings, select Add > Secret text.

  6. For Variable, enter SRCCLR_API_TOKEN.

  7. Select SRCCLR_API_TOKEN.

  8. In the build section, select Add build step > Execute shell. You can include the shell as a pre- or post-build step.

  9. Add this command to the shell command box:

    curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

  10. Save your build.

Results:

The next time your job runs, Veracode SCA scans your code.

Travis CI

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Travis CI.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Add your token to an environment variable

Setting an environment variable in Travis CI occurs on a per-repository basis.

To complete this task:

  1. In Travis CI, select the repository you want to scan.
  2. Go to More Options > Settings.
  3. For Name, enter SRCCLR_API_TOKEN.
  4. For Value, enter your Veracode SCA API token.
  5. Verify Display value in build log is set to OFF. This step ensures your token is hidden.
  6. Select Add.

Configure your repos

To complete this task:

  1. Add this code to your .travis.yml file:

    addons:
        srcclr: true

  2. If you want verbose output during the scan, add the debug key:

    addons:
        srcclr:
            debug: true

  3. Commit the changes to start a build and run an SCA scan.

Gradle

Set up the Gradle plugin

The Gradle plugin automates scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.

Before you begin:

Ensure you have the latest version of the plugin. To install the latest version, search for SourceClear in the Gradle plugin portal and follow the onscreen instructions.

To support Spring Boot, you must have a version that is earlier than Spring Boot 3.3.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create > Gradle.

  5. Select Create Agent & Generate Token.

  6. Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your build.gradle file:

    • To set your environment variable, run:

      export SRCCLR_API_TOKEN={apiToken}

    • Add the following code to your build.gradle file. For multi-project Gradle builds, we recommend applying these changes only to the root build.gradle file to avoid potentially overriding scan results from the different projects. Do not apply the plugin in the allprojects or subprojects section of the build file.

                  //For Gradle 2.2.0 or higher
                                  ...

                                  plugins {
                                  id "com.srcclr.gradle" version "{Insert latest version}"
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }
                              
                  //For Gradle before 2.2.0
                                  //Add gradle plugin location
                                  buildscript {
                                  repositories {
                                  maven {
                                  url "https://plugins.gradle.org/m2/"
                                  }
                                  }
                                  }
                                  //Add 'classpath("com.srcclr:gradle:{insert version number}")'  to your dependencies

                                  buildscript {
                                  ...
                                  dependencies {
                                  classpath "gradle.plugin.com.srcclr:gradle:<insert version number>"
                                  }
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }

  7. Optionally, add additional configuration options.

  8. Save the build.gradle file. To run scans during your build, add the srcclr argument to the gradlew command.

  9. To perform dependency resolution and build class files, which are the minimum requirements for vulnerable method analysis, run:

    ./gradlew srcclr

  10. For larger builds, you can run this command:

    ./gradlew clean build srcclr

Configure the Gradle plugin

You can configure specific parameters in the Gradle plugin.

You can add these configurations into the srcclr block in your build.gradle file.

apiToken

Enables uploading all scanned repositories to the Veracode Platform as new projects. Required for running the plugin if you have not set the SRCCLR_API_TOKEN environment variable.

Default value: null

Example: apiToken = "xdfsdfinerknwekrn13Ddfsa"

shouldUpload

If set to true, scan results persist in the Veracode Platform in the workspace associated with your apiToken.

Default value: true

Example: shouldUpload = false

scope

Defines the scope on which components should match. Possible values include compile, runtime, and test. We recommend using runtime if you specify libraries using the api or implementation keywords.

Default value: compile

Example: scope = "compile"

SCA uses the appropriate value for scope based on your Gradle version. If you do not know your Gradle version, we recommend excluding the scope variable.

Maven

Set up the Maven plugin

Use the Maven plugin to automate scans of your Maven repositories. You can upload the results of plugin scans to Veracode for a specific organization or to your personal environment.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create > Maven.

  5. Select Create Agent & Generate Token.

  6. Choose to set your API token as an environment variable in the environment where you build your Maven repository, or add the token directly to the configuration within your pom.xml file:

    • Environment Configuration:

      • Run this command to set your API token to the SRCCLR_API_TOKEN environment variable:

        export SRCCLR_API_TOKEN={apiToken}

        If your shell supports it, you may want to prefix the command with a space to avoid leaving the token in your shell history.

      • Run this command in the root of your Maven project to start a scan:

        mvn clean compile com.srcclr:srcclr-maven-plugin:scan

    • pom.xml Configuration:

      • Add this code to your pom.xml file in the root directory:
                  <build>
          <plugins>
              <plugin>
                  <groupId>com.srcclr</groupId>
                  <artifactId>srcclr-maven-plugin</artifactId>
                  <version><!-- Insert latest version --></version>
                  <configuration>
                      <!--- Add configuration details here-->
                      <apiToken>OptionallyEnterUserTokenHere</apiToken>
                 </configuration>
                 <executions>
                     <execution>
                         <id>srcclr-scan</id>
                         <phase>verify</phase>
                         <goals>
                             <goal>scan</goal>
                         </goals>
                     </execution>
                </executions>
              </plugin>
          </plugins>
      </build>
      • Save the pom.xml file. The plugin automatically runs when you run any Maven lifecycle phase that executes after verify, such as install or deploy.

Configure the Maven plugin

You can configure specific parameters in the Maven plugin.

If you do not specify a name, Veracode assigns a name to display with your project from your repository and file system information based on the .git information.

apiToken

Identifies you to the Veracode Platform. Required for running the plugin if you have not set the SRCCLR_API_TOKEN environment variable.

Default value: null

Example: <apiToken>xxsdf234Sasdvcve</apiToken>

upload

Indicates whether the plugin should upload your data to the Veracode Platform. If set to false, the plugin only displays results on the console.

Default value: true

Example: <upload>false</upload>

verbose

By default, the Maven plugin only specifies vulnerable components to you on the command line. If set to true, the plugin displays all of the components it finds.

Default value: false

Example: <verbose>true</verbose>

Integrate scanning with a script

You can add commands and environment variables to the script in your continuous integration tool to customize your Veracode Software Composition Analysis agent-based scans.

For all CI scripts, you must set the SRCCLR_API_TOKEN environment variable to successfully authenticate for scanning.

Custom SCA agent commands

The default functionality of the CI script used in the curl -sSL https://sca-downloads.veracode.com/ci.sh | sh command is to run the srcclr scan agent command in the current directory. Users can optionally specify their own custom command by appending -s -- {agent_commands} to the curl command. These examples use customized SCA commands with the CI script:

The CLI equivalent of:

srcclr test --maven
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh -s -- test --maven

The CLI equivalent of:

srcclr scan --url https://github.com/veracode/example-ruby --no-upload
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh -s -- scan --url https://github.com/veracode/example-ruby --no-upload

Environment variables

You can use these environment variables in the scanning environment to enable various features when scanning in your development pipeline with this shell command: curl -sSL https://sca-downloads.veracode.com/ci.sh | sh.

DEBUG

Description: When enabled, provides more verbose output during the scan. The default is 0, which disables the variable.

Possible values: 0 to disable, 1 to enable

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | DEBUG=1 sh

OR

export DEBUG=1
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

NOCACHE

Description: When enabled, the Veracode SCA agent is not cached when the curl command is run. The default is 0, which disables the variable.

Possible values: 0 to disable, 1 to enable

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | NOCACHE=1 sh

OR

export NOCACHE=1
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

CACHE_DIR

Description: Allows the user to specify which directory location to store the Veracode SCA agent. The default value for this is the /tmp directory.

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | CACHE_DIR="/home/applications" sh

OR

export CACHE_DIR="/home/applications"
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

NOSCAN

Description: When enabled, the Veracode SCA agent does not perform a scan on the repository. The default is 0, which disables the variable.

Possible values: 0 to disable, 1 to enable

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | NOSCAN=1 sh

OR

export NOSCAN=1
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

SCAN_DIR

Description: Allows the user to specify which directory location to scan. The default value for is the directory from which the curl command runs.

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | SCAN_DIR="./path/to/dir" sh

OR

export SCAN_DIR="./path/to/dir"
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

SRCCLR_CI_JSON

Description: When enabled, the Veracode SCA agent outputs the scan results in JSON format. The default is 0, which disables the variable.

Possible values: 0 to disable, 1 to enable

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | SRCCLR_CI_JSON=1 sh

OR

export SRCCLR_CI_JSON=1
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

CUSTOM_JRE_DIR

Description: Allows the user to specify which JRE to use for the Veracode SCA agent. The default scan functionality is to provide supported JREs for both Debian-based and OS X operating systems. Specifying this value enables other operating systems to utilize SCA Agent-based Scan.

Example:

curl -sSL  https://sca-downloads.veracode.com/ci.sh | CUSTOM_JRE_DIR=/opt/jdk/jre/lib/amd64 sh

OR

export CUSTOM_JRE_DIR=/opt/jdk/jre/lib/amd64
curl -sSL  https://sca-downloads.veracode.com/ci.sh | sh

Use the SCA agent with an SCM other than Git

You can use the Veracode SCA agent to scan a repository that uses a source code management (SCM) system other than Git, including Subversion (SVN), Mercurial, and Team Foundation Version Control (TFVC).

The SCA agent normally interacts with a Git repository to learn the branch, commit, working directory state, and similar attributes to make the scan reports the most meaningful to the reader. However, not every organization uses Git and thus the agent needs a mechanism through which the scan data can be associated with the underlying source control metadata.

Connect SCM metadata to an SCA agent

The Veracode SCA agent accepts SCM metadata from the caller through the following environment variables.

Environment variableEquivalent scan optionWhat it controls
SRCCLR_SCM_URI--scm-uriRequired. The URI you use to connect to the SCM system. For example: https://svn.example.com/svn/repos or https://hg.example.com.

NOTE:
This value becomes the default project name in Veracode SCA after the first scan.
SRCCLR_SCM_REF--scm-refRequired. A meaningful name for the current state of the working directory, such as a branch, tag, or similar SCM concept.
SRCCLR_SCM_REF_TYPE--scm-ref-typeRequired. The type of reference specified in SRCCLR_SCM_REF. Accepted values (case-insensitive): branch, tag, or commit. The default value is commit.
SRCCLR_SCM_REV--scm-revRequired. The revision identifier for the current state of the working directory. Examples: a Subversion change number or a Mercurial revision ID.
SRCCLR_SCM_SUB_PATHn/aOptional. Use only if the project is located in a subdirectory within the SCM repository, such as with a multi-project Mercurial repository. If you use Subversion or similar directory addressable source control systems, we recommend specifying the full path to the project root as the SRCCLR_SCM_URI.
SRCCLR_NO_GIT=1n/aOptional. SCA agent-based scans require that your project be in a version control system, such as Git. To scan a project that is not in version control, set this variable to 1.

Example

Check out the source as you normally would and change to the working directory.

$ svn checkout https://svn.code.sf.net/p/properties-mvn/svn/ properties-mvn
$ cd properties-mvn

To gather the information, use the source control tool to inspect its status.

$ svn info
Path: .
Working Copy Root Path: /Users/mdaniel/.tmp/properties-mvn
URL: https://svn.code.sf.net/p/properties-mvn/svn
Relative URL: ^/
Repository Root: https://svn.code.sf.net/p/properties-mvn/svn
Repository UUID: a38e15f5-c4e9-4b0a-8018-68579ae2876f
Revision: 10
Node Kind: directory
Schedule: normal
Last Changed Author: ayanul
Last Changed Rev: 10
Last Changed Date: 2010-09-29 04:28:27 -0700 (Wed, 29 Sep 2010)

Now you can capture the relevant pieces of metadata in environment variables and invoke the srcclr scan command to begin scanning.

$ export SRCCLR_SCM_URI=https://svn.code.sf.net/p/properties-mvn/svn
$ export SRCCLR_SCM_REF=trunk
$ export SRCCLR_SCM_REF_TYPE=branch
$ export SRCCLR_SCM_REV=10
$ srcclr scan

The results print a summary to the terminal and provide a hyperlink to the full details in the Veracode Platform.

Last updated on