Configure SCA agents
You can configure SCA agents using the parameters in the agent.yml file or, alternatively, using environment variables.
Configure proxies
If you install an SCA agent behind a proxy, connect the agent to your proxy server.
Before you begin:
- If your proxy performs TLS interception, you must provide the certificate chain to the agent.
- If your Veracode account is in the United States Federal region, running the SCA agent behind a proxy server is not supported.
To complete this task:
-
To make the Java virtual machine (JVM) aware of the root certificate, run the appropriate command for your operating system:
-
Linux or Mac:
export SRCCLR_SSL_CERT_FILE="/path to certificate file/" -
Windows PowerShell:
$env:SRCCLR_SSL_CERT_FILE='/path to certificate file/'
-
-
To make the agent aware of the proxy, make one of these configurations:
-
Set the
https_proxyenvironment variable containing a URL that points to the proxy server. For example:-
Linux or Mac:
export https_proxy="http://127.0.0.1:8080" -
Windows Powershell:
$env:https_proxy='http://127.0.0.1:8080'
-
-
Set the agent configuration values relevant to proxy identification and authentication, such as
proxyHostandproxyPort, in~.srcclragent.ymlor in another YML configuration file defined with the--config=option.For example, include
proxyHost: 127.0.0.1andproxyPort: 8080in~/.srcclr/agent.yml.
-
-
To complete the connection, run the appropriate command to establish communication between the agent and the proxy server. For example:
-
Linux or Mac:
curl -sSL https://sca-downloads.veracode.com/ci.sh | env DEBUG=1 SRCCLR_SSL_CERT_FILE="/path to certificate file/" bash -s scan --skip-collectors "ant,npm" -
Windows PowerShell:
$Client = New-Object -TypeName System.Net.WebClient
$Client.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$Script = $Client.DownloadString('https://sca-downloads.veracode.com/ci.ps1')
Invoke-Command -ScriptBlock ([scriptblock]::Create($Script)) -ArgumentList @('scan', '--skip-collectors', 'ant,npm')
ImportantIf you do not use the
https_proxyenvironment variable or setproxyHostandproxyPortin~/.srcclr/agent.yml, you must include'--config=/path to configuration file/'in this command. -
agent.yml parameters
You configure the following key names in the agent.yml file, which is created when you activate the SCA agent. Alternatively, you can configure these settings as environment variables.
agentAuthorization
(Required) Bearer token used to authenticate API calls.
apiUrl
The URL for the Veracode Platform backend API that the SCA agent uses to manage scans. Valid values are:
https://sca-api.veracode.com- Commercial Region. The default.https://sca-api.veracode.eu- European Region.https://sca-api.veracode.us- United States Federal Region.
maxErrorLines
The maximum number of lines of build error messages that the CLI transmits to the REST API when reporting a build failure.
proxyType
One of the strings HTTP or SOCKS which will indicate the kind of proxy the Agent should use when connecting to proxyHost and proxyPort.
proxyHost
The IP or hostname that the Agent should use for proxy communication.
proxyPort
The integer value of the port on the IP or hostname specified in proxyHost.
proxyUsername
The username that the agent uses to authenticate against the proxy specified by proxyHost and proxyPort.
proxyPassword
The password that the agent uses to authenticate against the proxy specified by proxyHost and proxyPort.
region
The region-specific server where Veracode stores your results. Overrides apiUrl. Valid values are:
COM- Commercial Region. The default.ER- European Region.FED- United States Federal Region.
skipVersionCheck
A boolean which determines whether the agent attempts to check for the latest version.
scmType
One of the following supported source code management systems: GITHUB, GITHUBENTERPRISE, GIT, STASH.
scmToken
A GitHub or GitHub Enterprise API token which may also be used to clone private repos.
scmUrl
The endpoint used to communicate with the API of your source code management system.
scmUsername
Used to authenticate the scmUrl above.
scmPassword
Password associated with the scmUsername
Environment variables
As an alterative to the parameters set in the agent.yml file, you can configure SCA agents using the following environment variables.
SRCCLR_API_TOKEN
Provides an alternate means of supplying the agentAuthorization token required to use the REST API. If present, this variable supersedes the configuration file.
SRCCLR_API_URL
Specifies the URL for the Veracode Platform backend API that the SCA agent uses to manage scans. Overrides SRCCLR_REGION. Valid values are:
https://sca-api.veracode.com- Commercial Region. The default.https://sca-api.veracode.eu- European Regionhttps://sca-api.veracode.us- United States Federal Region
SRCCLR_REGION
Region-specific server where Veracode stores your results. Valid values are:
COM- Commercial Region. The default.ER- European Region.FED- United States Federal Region.
SRCCLR_TLS_EXPAND
When set to TRUE, the SCA agent can use an expanded set of ciphers to connect to the Veracode Platform. When set to FALSE, the agent can only use FIPS-compliant ciphers. Valid values are:
TRUE- The default value for the Commercial and European Regions.FALSE- The default and only valid value for the United States Federal Region.
SRCCLR_SBOM_SCAN
When set to the default value TRUE, the agent scans all found SBOMs when performing a --quick scan. When set to FALSE, the agent ignores any SBOMs it finds when performing a --quick scan.
JAVA_OPTS
Permits altering the behavior, or system properties, of the underlying Java runtime system that is used by the srcclr command.
VIRTUALENV_PYTHON
Specifies which Python interpreter version virtualenv uses when creating a virtual Python environment. The default value is the interpreter version used to install virtualenv on your machine.
SRCCLR_CONFIG
Provides an explicit means of specifying the scan configuration file location. If this variable is populated, the program will use that path in addition to the system and user locations, but is still subject to override by the --config command line flag. If it is populated but points to an invalid path, the program halts in error.
SRCCLR_NPM_SCOPE
Specifies the scope for scans of NPM and Yarn projects. Valid values are:
productionorprod- Restricts scans to production dependencies, including the optional dependencies you can install. The default value.developmentordev- Restricts scans to development dependencies.all- Scans production and development dependencies.
SRCCLR_SCOPE
For scope options, see the multi-language scan directives.
https_proxy or http_proxy
If you set either of these values, and they contain a URL that points to a proxy which speaks the HTTP proxy protocol, the agent uses them for outbound HTTP requests, just as curl and git behave. Also like the other programs, the agent accepts inline credentials in the URL, such as http://myUser:[email protected]. If the URL does not contain an explicit port, the traditional ports for the protocol of the URL are implicitly inserted: 80 for http:// and 443 for https://. Unlike those other programs, the agent accepts either environment variable name (https_proxy or http_proxy) and uses that proxy information for all HTTP requests. Be aware that proxy values in any configuration file provided to the agent, the default location or values provided by –config supersede any proxy specification in these environment variables.
You can also use scan directives as environment variables in your CI configuration by adding SRCCLR_ before the directive name and changing the directive name to be all uppercase. For example:
export SRCCLR_SCAN_COLLECTORS=pip
SRCCLR_DOWNLOAD_URL
Downloads the SourceClear agent.
sca-downloads.veracode.com- The recommended URLdownload.sourceclear.com- The old URL that will be eventually deprecated
SRCCLR_WORKSPACE_SLUG
Specifies the workspace for an SCA agent using the workspace slug.
SRCCLR_DIRECT_SCAN
Runs a scan against a project to scan only the pom.xml file without scanning the entire source directory.
To run a quick scan on just the pom.xml file, set the following environment variable:
SRCCLR_DIRECT_SCAN=true