Best practices for Veracode SCA
We recommend the following best practices to make the most effective use of Veracode Software Composition Analysis (SCA), using either SCA Agent-based Scan or SCA Upload and Scan. These best practices help you effectively use Veracode SCA to review the security policy compliance of your code before releasing it to production.
Search the Veracode Vulnerability Database before using a library
The Veracode Vulnerability Database provides extensive details of the security impact of including open-source libraries in your code.
SCA Agent-based Scan
Use the appropriate type of agent for your workflow
If you want to create a standardized pipeline configuration that applies to multiple workspaces, activate an organization agent. If your development team primarily works in a single workspace, activate a workspace agent. See Set up SCA agents.
Select the appropriate default branch for your projects
The default branch for a project determines the data that displays in the Veracode Platform, the data that Veracode adds to linked applications, and the branch in which Veracode automatically creates issues for newly released vulnerabilities.
Link your projects to an application profile
For a unified view of your results for all Veracode scans of the same application, link the projects you create for SCA agent-based scans to your Veracode Platform application profiles. To evaluate the policy status of third-party libraries included in an application profile through a linked project, you must perform an SCA Upload and Scan of the applications.
Include SCA rules in your workspaces
You can add rules to your workspaces to enforce security compliance on your code bases.
Prioritize addressing vulnerable methods
Projects that use a vulnerable method are calling the specific piece of code that causes a library to be vulnerable, which makes the project particularly vulnerable to attack.
Use agent-based scans with Pipeline Scan
Pipeline Scan provides fast feedback on findings introduced on new commits to first-party code. Like Veracode SCA agent-based scans, Pipeline Scan directly embeds into team development pipelines.
Use fewer than 100 projects in a single workspace
There is no limit to the number of projects in a workspace, but Veracode recommends using fewer than 100 to avoid causing performance delays. You can create new workspaces with the SCA REST API or in the Veracode Platform.
Use the REST APIs to view scan results
To access immediate, high-level finding details about your agent-based scan workspaces, use the SCA REST API. For more detailed information about your Veracode SCA findings, link your project to an application profile and use the Findings REST API.
Troubleshoot scan issues from the command line
If you encounter errors with the Veracode Software Composition Analysis agent in your pipeline, you can troubleshoot by scanning locally in your command-line interface. To save time in troubleshooting, include the --quick parameter in the scan command.
SCA Upload and Scan
Perform an SCA Upload and Scan as part of a Static Analysis
Veracode analyzes your code and your open-source code in a single Upload and Scan operation. See SCA Upload and Scan for more information.
Use the Findings REST API to view scan results
To access details about your Veracode SCA findings without signing in to the Veracode Platform, use the Findings REST API.
Include SCA rules in your application security policies
You can add Veracode SCA requirements in your policies to restrict the usage of vulnerable third-party components. You can also enforce that the application must meet minimum Veracode Levels, CVSS scores, and grace period requirements to pass policy.