Understanding Deployment Options for Agent-Based Scanning

Veracode Software Composition Analysis

Introduction

Veracode Software Composition Analysis agent-based scanning is a set of technologies that helps teams use open-source safely while building secure software. The solution integrates transparently into the existing software development process with minimal change or impact. The agent-based scanning platform has a number of options to choose from and each option is designed for specific use cases. A typical deployment consists of a combination of these options that work together where options are chosen to match the team structure, team process, and existing toolchain.

Agent-Based Scanning Web Platforms

Veracode Platform

In the Veracode Platform, you can analyze the various issues that agent-based scans identify. User accounts in the Veracode Platform are tied to the accounts of their organization.

Veracode Vulnerability Database

The Veracode Vulnerability Database is a resource for you to explore the massive Veracode database of open-source libraries along with the growing list of vulnerabilities discovered and curated by Veracode researchers. You can perform searches for specific libraries or vulnerabilities to find details. For more information, see About the Veracode Vulnerability Database.

Veracode SCA Scanning Agents

Command-Line Interface

The Veracode SCA agent-based scanning command-line interface (CLI) is a tool designed for you to run from your desktop. You can install and run the CLI on Mac OSX or Linux with installation and updates using the HomeBrew system on Apple, and as a downloadable installer for other operating systems. The CLI is designed for users who want to test their source code locally before pushing it to a continuous integration or continuous delivery platform, or who want to scan their code manually. The CLI reports basic results to standard output, or optionally in JSON format, and generates detailed and customizable results on the portal.

In general, if you can build or package a project with default options, the CLI can complete its analysis. If your software has a complex build process or requires advanced configuration, the CLI may not be able to complete its analysis. For example, the CLI may not complete an analysis if it requires access to private repositories and environmental settings to scan. The CLI is a one­time analysis tool that does not automatically re-run when source code is changed or software is rebuilt. You can point the CLI at a Git URL or local Git-based folder on the file system, which then performs a shallow clone of the repository located at the URL, runs a scan, and deletes the cloned repository from your local file system.

Plugins for Build and Package Managers

Veracode SCA agent-based scanning provides plugins for Maven and Gradle, which are designed to be run from within the team’s continuous integration or continuous delivery pipeline, or alternatively on local builds on a developer’s desktop. These plugins typically install and run automatically each time a build job is executed, inheriting directly from the build definition files stored in the team source code management system.

Plugins for build and package managers are designed for teams and individual developers who familiar with making configuration changes and want full control over their software build process. When used centrally as part of the continuous integration pipeline, the plugins allow teams to check the security quality of their open-source code every time code is built. When used locally, the plugins allow developers to check their local copy of their software for defects before committing changes to the team.

Build and package management plugins must be added to each project implicitly.

Plugin for Continuous Integration Servers

The continuous integration (CI) server agent runs on your network and plugs into your continuous integration server. Veracode SCA agent-based scanning provides a single cURL command, which pulls down the latest version of the agent and performs a scan for any CI software within a Linux-based environment.

The plugin for CI servers inherits the advantages and disadvantages of the plugins for build and package managers with the added advantage that they report directly into the same reporting and alerting system that already exists in the CI server. There are numerous configuration options for the CI agent, as it uses the same code base as the CLI agent.