Set up SCA CLI agents

To manage and run SCA scans on your desktop, set up SCA CLI agents and use the commands. This CLI is not related to the Veracode CLI.

To manage and run SCA scans in your repos, integrate the SCA CI agent with your repos and manage scans using environment variables.

If you encounter issues with SCA Agent-based Scan in your pipelines, you can use the command-line agent to run scans locally for troubleshooting purposes.

Set up an SCA CLI agent

Set up an SCA agent on your desktop to scan local or public repositories and review the results using a CLI. You can use the CLI to develop scripts.

To configure the agent, use the parameters in the agent.yml file. To run scans, use the commands. To configure scanning options, use the scan directives.

Alternatively, set up an agent using PowerShell.

Before you begin:

• Ensure your local system meets the requirements.
• If you are using Homebrew and have an older version of the agent installed, uninstall the older version before upgrading.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select the Agent-Based Scan tab.

3. Select Start a Scan > Create an Agent. Alternatively, select a workspace, select Agents under Manage Workspace, then select Actions > Create.

4. On the Set Up Scanner page, select your operating system to open the Command Line Interface page.

5. Select the tab for your preferred method of installation for your OS type (curl, apt-get, yum, homebrew).

6. Open a terminal window and follow the instructions on the Set Up Scanner page to install the agent.

7. Depending on your operating system, you might need to activate the agent.

8. Copy the activation token under the srcclr activate command.

9. Run the activate command for your region from the agent server:

   • Commercial region: srcclr activate
   • European region: srcclr activate --region ER
   • United States Federal region: srcclr activate --region FED

10. Paste the token you copied into your terminal and press Enter. If necessary, you can regenerate tokens.

    Your agent.yml configuration file installs to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning.

    • For workspace agents, we recommend using the name of the workspace associated with the token.
    • For organization agents, if you plan on creating more than agent one to use with different teams or workspaces, we recommend indicating that in the profile name.

11. If you are using YUM, add your repo to your list of YUM repos.

12. To verify the agent, run one of the following commands to try scanning a specific package manager.

    • Ant: srcclr test --ant
    • Bower: srcclr test --bower
    • Cocoapods: srcclr test --cocoapods
    • Composer: srcclr test --composer
    • Glide: srcclr test --glide
    • Go Get: srcclr test --go
    • Godep: srcclr test --godep
    • Govendor: srcclr test --govendor
    • Gradle: srcclr test --gradle
    • Ivy: srcclr test --ivy
    • Maven: srcclr test --maven
    • NPM: srcclr test --npm
    • Python: srcclr test --pip
    • Ruby Gems: srcclr test --gem
    • SBT: srcclr test --sbt
    • Trash: srcclr test --trash
    • Yarn: srcclr test --yarn
    • Nuget: srcclr test --nuget

If the agent installs successfully, you can view all the tests with a result of PASSED.

Set up an SCA CLI agent using PowerShell

If you are running a scan in a Windows environment and do not want to use Chocolatey to install SCA CLI agents, you can use PowerShell.

To complete this task:

1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

2. Select Agent-Based Scan.

3. Select a workspace.

4. Select Agents > Actions > Create > Windows.

5. Select PowerShell.

6. Select Create Agent & Generate Token.

7. Set the $Env:SRCCLR_API_TOKEN environment variable to the authentication token you just generated.

8. If your Veracode account is in the Commercial region, skip this step. If your Veracode account is in the European or United States Federal region, set the $Env:SRCCLR_REGION environment variable to one of the following:

   • European region: ER
   • United States Federal region: FED

9. In your PowerShell terminal, set execution policy to AllSigned.

   Set-ExecutionPolicy AllSigned -Scope Process -Force

   By default, PowerShell does not permit scripts to run.

10. To download the script, run:

    $ProgressPreference = "silentlyContinue"; iex ((New-Object System.Net.WebClient).DownloadString('https://sca-downloads.veracode.com/ci.ps1'))

Add your repo to your YUM repos

If you are using YUM, add your repository to your list of YUM repositories by creating a file /etc/yum.repos.d/SRCCLR.repo with the following content.

[SourceClear] name=SourceClear baseurl=https://sca-downloads.veracode.com/redhat/x86_64/
enabled=1 gpgcheck=1 gpgkey=https://sca-downloads.veracode.com/redhat/SRCCLR-GPG-KEY

To update and install, run:

sudo yum update sudo yum install srcclr

The first time you run this command, you are prompted to accept the GPG key.

Uninstall older agents using Homebrew

If you are using Homebrew and have previously installed version 3.8.30 or earlier of the SCA agent:

brew uninstall srcclr
brew untap srcclr/srcclr
brew tap veracode/srcclr
brew install srcclr