Skip to main content

Veracode SCA agent environment variables

The Veracode Software Composition Analysis (SCA) agent can read from these environment variables instead of variables set in the agent.yml file.


Provides an alternate means of supplying the agentAuthorization token required to use the agent-based scanning API. If present, this variable supersedes the configuration file.


Specifies the Veracode Platform backend URL that the SCA agent uses to communicate with the API of your source code management system. Overrides SRCCLR_REGION. Valid values are:

  • - United States Region. The default.
  • - European Region
  • - United States Federal Region


Region-specific server where Veracode stores your results. Valid values are:

  • COM - Commercial Region. The default.
  • ER - European Region.
  • FED - United States Federal Region.


When set to TRUE, the SCA agent can use an expanded set of ciphers to connect to the Veracode Platform. When set to FALSE,the agent can only use FIPS-compliant ciphers. Valid values are:

  • TRUE - The default value for the Commercial and European Regions.
  • FALSE - The default and only valid value for the United States Federal Region.


Permits altering the behavior, or system properties, of the underlying Java runtime system that is used by the srcclr command.


Specifies which Python interpreter version virtualenv uses when creating a virtual Python environment. The default value is the interpreter version used to install virtualenv on your machine.


Provides an explicit means of specifying the agent-based scanning configuration file location. If this variable is populated, the program will use that path in addition to the system and user locations, but is still subject to override by the --config command line flag. If it is populated but points to an invalid path, the program halts in error.


Specifies the scope for scans of NPM and Yarn projects. Valid values are:

  • production or prod - Restricts scans to production dependencies, including the optional dependencies you can install. The default value.
  • development or dev - Restricts scans to development dependencies.
  • all - Scans production and development dependencies.


For scope options, see Multi-Language Scan Directives.

https_proxy or http_proxy

If you set either of these values and they contain a URL that points to a proxy which speaks the HTTP proxy protocol, the agent uses them for outbound HTTP requests, just as curl and git behave. Also like the other programs, the agent accepts inline credentials in the URL, such as http://myUser:[email protected]. If the URL does not contain an explicit port, the traditional ports for the protocol of the URL are implicitly inserted: 80 for http:// and 443 for https://. Unlike those other programs, the agent accepts either environment variable name (https_proxy or http_proxy) and uses that proxy information for all HTTP requests. Be aware that proxy values in any configuration file provided to the agent, the default location or values provided by –config supersede any proxy specification in these environment variables.

You can also use scan directives as environment variables in your CI configuration by adding SRCCLR_ before the directive name and changing the directive name to be all uppercase. For example: