Veracode SCA agent environment variables
The Veracode Software Composition Analysis (SCA) agent can read from these environment variables instead of variables set in the agent.yml file.
SRCCLR_API_TOKEN
Provides an alternate means of supplying the agentAuthorization token required to use the agent-based scanning API. If present, this variable supersedes the configuration file.
SRCCLR_API_URL
Specifies the URL for the Veracode Platform backend API that the SCA agent uses to manage scans. Overrides SRCCLR_REGION. Valid values are:
https://sca-api.veracode.com- Commercial Region. The default.https://sca-api.veracode.eu- European Regionhttps://sca-api.veracode.us- United States Federal Region
SRCCLR_REGION
Region-specific server where Veracode stores your results. Valid values are:
COM- Commercial Region. The default.ER- European Region.FED- United States Federal Region.
SRCCLR_TLS_EXPAND
When set to TRUE, the SCA agent can use an expanded set of ciphers to connect to the Veracode Platform. When set to FALSE, the agent can only use FIPS-compliant ciphers. Valid values are:
TRUE- The default value for the Commercial and European Regions.FALSE- The default and only valid value for the United States Federal Region.
SRCCLR_SBOM_SCAN
When set to the default value TRUE, the agent scans all found SBOMs when performing a --quick scan. When set to FALSE, the agent ignores any SBOMs it finds when performing a --quick scan.
JAVA_OPTS
Permits altering the behavior, or system properties, of the underlying Java runtime system that is used by the srcclr command.
VIRTUALENV_PYTHON
Specifies which Python interpreter version virtualenv uses when creating a virtual Python environment. The default value is the interpreter version used to install virtualenv on your machine.
SRCCLR_CONFIG
Provides an explicit means of specifying the agent-based scanning configuration file location. If this variable is populated, the program will use that path in addition to the system and user locations, but is still subject to override by the --config command line flag. If it is populated but points to an invalid path, the program halts in error.
SRCCLR_NPM_SCOPE
Specifies the scope for scans of NPM and Yarn projects. Valid values are:
productionorprod- Restricts scans to production dependencies, including the optional dependencies you can install. The default value.developmentordev- Restricts scans to development dependencies.all- Scans production and development dependencies.
SRCCLR_SCOPE
For scope options, see Multi-Language Scan Directives.
https_proxy or http_proxy
If you set either of these values and they contain a URL that points to a proxy which speaks the HTTP proxy protocol, the agent uses them for outbound HTTP requests, just as curl and git behave. Also like the other programs, the agent accepts inline credentials in the URL, such as http://myUser:[email protected]. If the URL does not contain an explicit port, the traditional ports for the protocol of the URL are implicitly inserted: 80 for http:// and 443 for https://. Unlike those other programs, the agent accepts either environment variable name (https_proxy or http_proxy) and uses that proxy information for all HTTP requests. Be aware that proxy values in any configuration file provided to the agent, the default location or values provided by –config supersede any proxy specification in these environment variables.
You can also use scan directives as environment variables in your CI configuration by adding SRCCLR_ before the directive name and changing the directive name to be all uppercase. For example:
export SRCCLR_SCAN_COLLECTORS=pip
SRCCLR_DOWNLOAD_URL
Downloads the SourceClear agent.
sca-downloads.veracode.com- The recommended URLdownload.sourceclear.com- The old URL that will be eventually deprecated