Set up SCA CLI agents

To manage and run SCA scans on your desktop, set up SCA CLI agents and use the commands. This CLI is not related to the Veracode CLI.

To manage and run SCA scans in your repos, integrate the SCA CI agent with your repos and manage scans using environment variables.

If you encounter issues with SCA Agent-based Scan in your pipelines, you can use the command-line agent to run scans locally for troubleshooting purposes.

Set up an SCA CLI agent

Set up an SCA agent on your desktop to scan local or public repositories and review the results using a CLI. You can use the CLI to develop scripts.

To configure the agent, use the parameters in the agent.yml file. To run scans, use the commands. To configure scanning options, use the scan directives.

Alternatively, set up an agent using PowerShell.

Before you begin:

• Ensure your local system meets the requirements.
• If you are using Homebrew and have an older version of the agent installed, uninstall the older version before upgrading.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
2. Select the Agent-Based Scan tab.
3. Select Start a Scan > Create an Agent. Alternatively, select a workspace, select Agents under Manage Workspace, then select Actions > Create.
4. On the Set Up Scanner page, select your operating system to open the Command Line Interface page.
5. Select the tab for your preferred method of installation for your OS type (curl, apt-get, yum, homebrew).
6. Open a terminal window and follow the instructions on the Set Up Scanner page to install the agent.

Authenticate with Veracode

You can authenticate with Veracode in the following ways:

• Use the SCA activation token.
• If your organization uses single sign-on (SSO), use OAuth to sign in with your username and password.
• If your organization doesn't use SSO, use your API credentials to authenticate with Veracode using HMAC. When using the CLI in automation, such as scripts, use HMAC authentication.

Use activation token

Use your activation token to authenticate with the SCA CLI.

To complete this task:

1. Depending on your operating system, you might need to activate the agent. Copy the activation token under the srcclr activate command.

2. From the agent server, run the command for your region:

   • Commercial region: srcclr activate
   • European region: srcclr activate --region ER
   • United States Federal region: srcclr activate --region FED

3. To complete activation, paste the token you copied into your terminal and press Enter. If necessary, you can regenerate tokens.

   Your agent.yml configuration file installs to the ~/.srcclr folder. If the file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning.

   • For workspace agents, we recommend using the name of the workspace associated with the token.
   • For organization agents, if you plan to create more than one agent for different teams or workspaces, we recommend indicating this in the profile name.

4. To configure package installation, if you are using YUM, add your repo to your list of YUM repos.

5. To verify the agent, run one of the following commands to scan a specific package manager:

   • Ant: srcclr test --ant
   • Bower: srcclr test --bower
   • Cocoapods: srcclr test --cocoapods
   • Composer: srcclr test --composer
   • Glide: srcclr test --glide
   • Go Get: srcclr test --go
   • Godep: srcclr test --godep
   • Govendor: srcclr test --govendor
   • Gradle: srcclr test --gradle
   • Ivy: srcclr test --ivy
   • Maven: srcclr test --maven
   • NPM: srcclr test --npm
   • Python: srcclr test --pip
   • Ruby Gems: srcclr test --gem
   • SBT: srcclr test --sbt
   • Trash: srcclr test --trash
   • Yarn: srcclr test --yarn
   • Nuget: srcclr test --nuget

If the agent installs successfully, you can view all the tests with a result of PASSED.

Use OAuth authentication

Use OAuth authentication if your organization uses SSO and you interact directly with the CLI. If you use the CLI in automation where you do not interact with the CLI, use HMAC authentication.

Important

OAuth authentication is supported only for application profile–based scans. When this authentication method is used, SCA agent scan results are explicitly associated with the application profile specified during a scan. As a result, scans that are not linked to an application profile are not supported. When running an SCA agent scan, you must specify the application profile with the appname command. See here for more information related to the appname command.

Before you begin:

• You must have a user account in the Commercial region.

To complete this task:

1. In the CLI, run:

    ./srcclr login

2. Select your region.
3. On the device activation page, select NEXT.
4. Enter your Username and Password.
5. Select SIGN IN to authenticate. After the device is successfully activated, you can return to the CLI.

Use HMAC authentication

Use HMAC authentication to authenticate with Veracode using your API credentials. Use this method if your organization doesn't use SSO, or you're using SCA CLI for automation, such as in a script. HMAC authentication can be configured by setting environment variables in the SCA CLI.

Important

HMAC authentication is supported only for application profile–based scans. When this authentication method is used, SCA agent scan results are explicitly associated with the application profile specified during a scan. As a result, scans that are not linked to an application profile are not supported. When running an SCA agent scan, you must specify the application profile with the appname command. See here for more information related to the appname command.

Before you begin:

• You must have a user account in the Commercial region.

To perform HMAC authentication, ensure you have generated your Veracode API credentials from the Veracode Platform. See here for instructions to configure API credentials as environment variables.

Set up an SCA CLI agent using PowerShell

If you are running a scan in a Windows environment and do not want to use Chocolatey to install SCA CLI agents, you can use PowerShell.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select a workspace.

4. Select Agents > Actions > Create > Windows.

5. Select PowerShell.

6. Select Create Agent & Generate Token.

7. Set the $Env:SRCCLR_API_TOKEN environment variable to the authentication token you just generated.

8. If your Veracode account is in the Commercial region, skip this step. If your Veracode account is in the European or United States Federal region, set the $Env:SRCCLR_REGION environment variable to one of the following:

   • European region: ER
   • United States Federal region: FED

9. In your PowerShell terminal, set execution policy to AllSigned.

   Set-ExecutionPolicy AllSigned -Scope Process -Force

   By default, PowerShell does not permit scripts to run.

10. To download the script, run:

    $ProgressPreference = "silentlyContinue"; iex ((New-Object System.Net.WebClient).DownloadString('https://sca-downloads.veracode.com/ci.ps1'))

Add your repo to your YUM repos

If you are using YUM, add your repository to your list of YUM repositories by creating a file /etc/yum.repos.d/SRCCLR.repo with the following content.

[SourceClear] name=SourceClear baseurl=https://sca-downloads.veracode.com/redhat/x86_64/
enabled=1 gpgcheck=1 gpgkey=https://sca-downloads.veracode.com/redhat/SRCCLR-GPG-KEY

To update and install, run:

sudo yum update sudo yum install srcclr

The first time you run this command, you are prompted to accept the GPG key.

Uninstall older agents using Homebrew

If you are using Homebrew and have previously installed version 3.8.30 or earlier of the SCA agent:

brew uninstall srcclr
brew untap srcclr/srcclr
brew tap veracode/srcclr
brew install srcclr