Skip to main content

Link SCA projects to applications

You can link the projects you create for Veracode Software Composition Analysis agent-based scans to your Veracode Platform application profiles to enable a unified view of your results for all Veracode scans and include agent-based scan results in your application policy evaluations.

Linking a project to an application sends the inventory of that project to the application profile, allowing the application profile to reflect all libraries, licenses, and vulnerabilities found through agent-based scans.

note

If you modify the filenames of third-party libraries, it may lead to duplicate findings when you perform an agent-based scan and an upload scan of the same application.

You can link multiple projects to an application. If you want to link one project to multiple applications, you need to scan that project under multiple workspaces, then link each instance of that project to a different application.

To include agent-based results in the policy evaluation for your application, you must perform at least one upload scan of the application before linking an agent-based scanning project to the application.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role to link projects to applications.

To complete this task:

  1. Go to Scans & Analysis > Software Composition Analysis.

  2. Click the Agent-Based Scan tab.

  3. Select a workspace.

  4. Click Projects.

  5. Select the project you want to link to an application.

  6. Click Settings > Link to Application.

  7. Select an application from the dropdown menu.

  8. Click Save.

    The application now appears in the Linked Application column of the Project List table. The project is now included in the Linked Projects column of the Applications list on the Upload and Scan tab.

Results:

After you link a project to an application, Veracode includes the findings from agent-based scans of that project in your application results and Veracode reports, displaying them exactly like the findings from scans of uploaded applications. To extract findings from linked projects using an API, Veracode recommends you use the Findings REST API.

App-Linking API

If you prefer to use an API to complete this task, the SCA App-Linking REST API includes the linkAppProject endpoint and the unlinkAppProject endpoint. The SCA App-Linking API specification is available on SwaggerHub.