Agent-based scan language support matrix

This table identifies the functionality available to each language and package manager that Veracode Software Composition Analysis agents support.

A quick scan does not build the project or a dependency graph. To generate a list of libraries and versions in the project, a quick scan uses the --quick directive to read the project's manifest files or package lock files. Alternatively, for some languages, a quick scan compares the hashes of JAR files or DLL files in the project with hashes in the Veracode database.
A full scan builds the project and a dependency graph, so you can see which libraries are direct or transitive and can prioritize accordingly. Without the -–quick directive, a full scan is the default scan for the SCA agent.
A vulnerable method scan is not a separate scan but a standard part of a full scan, provided vulnerable methods are supported for the project's language and package manager. During the build, the agent determines whether a project’s first-party code calls any vulnerable methods in the third-party code.

Language	Package Manager	Quick Scan (Level 1)	Full Scan (Level 2)	Vulnerable Methods Scan (Level 3)
C#/.NET	DLL	X	X	X
C#/.NET	NuGet	X	X	X
C/C++	Make		X
Go	Dep	X	X
Go	Glide	X	X
Go	go get		X
Go	Go modules	X	X	X
Go	GoDep	X	X
Go	GoVendor	X	X
Go	Trash	X	X
Java	Ant		X	X
Java	Gradle		X	X
Java	Jars	X	X	X
Java	Maven		X	X
JavaScript	Bower	X	X
JavaScript	NPM	X	X	X
JavaScript	Yarn	X	X	X
Kotlin	Gradle		X	X
Kotlin	Jars	X	X	X
Kotlin	Maven		X	X
Objective-C	CocoaPods	X	X
PHP	Composer	X	X
Python	pip		X	X
Python	Pipenv	X	X	X
Python	Poetry	X	X
Ruby	Bundler	X	X	X
Scala	Jars	X	X	X
Scala	SBT		X
Swift	CocoaPods	X	X