Scanning an SBOM with the SCA agent

In SCA agent-based --quick scans, Veracode scans all found SBOMs by default. A full scan ignores all SBOM files.

Prerequisites

SBOM file names must be in one of the following formats:
- CycloneDX (CDX) format with file name ending in bom.json
- Software Package Data Exchange (SPDX) format with file name ending in spdx.json
Supported SBOM versions:
- CycloneDX: v1.6 and lower
- SPDX: v2.3 and lower

Scan SBOM files only

By default, SCA will scan all files, but to scan only SBOM files, configure the agent to use only the SBOM collector by using one of the following methods:

Scan command:

srcclr scan --quick --scan-collectors SbomQuickScanCollector

Environment variable:

Windows PowerShell
macOS or Linux

$env:SRCCLR_SCAN_COLLECTORS='SbomQuickScanCollector'

export SRCCLR_SCAN_COLLECTORS=SbomQuickScanCollector

YAML file: Add scan_collectors: SbomQuickScanCollector to one of the following files:
- agent.yml for all scans
- srcclr.yml at your project root

Ignore SBOM files

To exclude SBOM files from scanning, configure the agent to skip the SBOM collector. Use one of the following methods:

Scan command:

srcclr scan --quick --skip-collectors SbomQuickScanCollector

Environment variable:

Windows PowerShell
macOS or Linux

$env:SRCCLR_SKIP_COLLECTORS='SbomQuickScanCollector'

export SRCCLR_SKIP_COLLECTORS=SbomQuickScanCollector

YAML file: Add skip_collectors: SbomQuickScanCollector to one of the following files:
- agent.yml for all scans
- srcclr.yml at your project root

Prerequisites​

Scan SBOM files only​

Ignore SBOM files​

Did you find this helpful?

Prerequisites

Scan SBOM files only

Ignore SBOM files