Integrate agents with Gradle
You can create a Veracode SCA agent that automates the scanning of your Gradle repositories.
Prerequisites
Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.
Set up the Gradle plugin
The Gradle plugin automates scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.
Before you begin:
Ensure you have the latest version of the plugin. To install the latest version, search for SourceClear in the Gradle plugin portal and follow the onscreen instructions.
To support Spring Boot, you must have a version that is earlier than Spring Boot 3.3.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Select Agent-Based Scan.
-
Select a workspace.
-
Select Agents > Actions > Create > Gradle.
-
Select Create Agent & Generate Token.
-
Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your
build.gradlefile:-
To set your environment variable, run:
export SRCCLR_API_TOKEN={apiToken} -
Add the following code to your
build.gradlefile. For multi-project Gradle builds, we recommend applying these changes only to the rootbuild.gradlefile to avoid potentially overriding scan results from the different projects. Do not apply the plugin in theallprojectsorsubprojectssection of the build file.//For Gradle 2.2.0 or higher
...
plugins {
id "com.srcclr.gradle" version "{Insert latest version}"
}
apply plugin: "srcclr"
srcclr {
apiToken = "{apiToken}" //Only required if environment variable is not set
}
//For Gradle before 2.2.0
//Add gradle plugin location
buildscript {
repositories {
maven {
url "https://plugins.gradle.org/m2/"
}
}
}
//Add 'classpath("com.srcclr:gradle:{insert version number}")' to your dependencies
buildscript {
...
dependencies {
classpath "gradle.plugin.com.srcclr:gradle:<insert version number>"
}
}
apply plugin: "srcclr"
srcclr {
apiToken = "{apiToken}" //Only required if environment variable is not set
}
-
-
Optionally, add additional configuration options.
-
Save the
build.gradlefile. To run scans during your build, add thesrcclrargument to thegradlewcommand. -
To perform dependency resolution and build class files, which are the minimum requirements for vulnerable method analysis, run:
./gradlew srcclr -
For larger builds, you can run this command:
./gradlew clean build srcclr
Configure the Gradle plugin
You can configure specific parameters in the Gradle plugin.
You can add these configurations into the srcclr block in your build.gradle file.
apiToken
Enables uploading all scanned repositories to the Veracode Platform as new projects. Required for running the plugin if you have not set the SRCCLR_API_TOKEN environment variable.
Default value: null
Example: apiToken = "xdfsdfinerknwekrn13Ddfsa"
shouldUpload
If set to true, scan results persist in the Veracode Platform in the workspace associated with your apiToken.
Default value: true
Example: shouldUpload = false
scope
Defines the scope on which components should match. Possible values include compile, runtime, and test. We recommend using runtime if you specify libraries using the api or implementation keywords.
Default value: compile
Example: scope = "compile"
SCA uses the appropriate value for scope based on your Gradle version. If you do not know your Gradle version, we recommend excluding the scope variable.