Using Veracode SCA with programming languages
Veracode Software Composition Analysis features are available for several programming languages, which all have specific requirements for performing scans.
For the detailed list of supported tools and languages, see the SCA agent-based scan language support matrix and SCA upload and scan language support matrix.
Java
To assess the security risk of open-source components in your Java code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Plugins are available to automate scanning of Gradle or Maven repositories for Java applications. Sample Java repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Java application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Java packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
C#/.NET
To assess the security risk of open-source components in your .NET code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.
To analyze the open-source risk of your compiled .NET application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the .NET packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
JavaScript
To assess the security risk of open-source components in your JavaScript code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample JavaScript repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled JavaScript application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the JavaScript packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
PHP
To assess the security risk of open-source components in your PHP code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.
To analyze the open-source risk of your compiled PHP application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the PHP packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Scala
To assess the security risk of open-source components in your Scala code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Scala repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Scala application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Scala packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Kotlin
To assess the security risk of open-source components in your Kotlin code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Plugins are available to automate scanning of Gradle or Maven repositories for Kotlin applications. Sample Kotlin repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Kotlin application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Kotlin packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Objective-C
To assess the security risk of open-source components in your Objective-C code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Objective-C repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Objective-C application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Objective-C packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Swift
To assess the security risk of open-source components in your Swift code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Swift repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Swift application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Swift packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Ruby
To assess the security risk of open-source components in your Ruby code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Ruby repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Ruby application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Ruby packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Python
To assess the security risk of open-source components in your Python code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Python repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Python application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Python packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
Go
To assess the security risk of open-source components in your Go code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline. Sample Go repositories are available in GitHub to demonstrate how to run agent-based scans.
To analyze the open-source risk of your compiled Go application as part of a Veracode Static Analysis, upload your application binaries to Veracode. Your application must meet the Go packaging requirements. See Requesting a Veracode SCA upload scan and Reviewing Your Application Portfolio with Veracode SCA.
C/C+
To assess the security risk of open-source components in your C or C++ code early and frequently in your development, perform agent-based scans on the command line or as an automated step in your pipeline.