About Veracode SCA Agent Management

Veracode Software Composition Analysis

The Veracode Software Composition Analysis agent, also referred to as the scanner, is the program that builds and scans your code to find third-party libraries and the vulnerabilities contained in those libraries.

Workspace agents let you scan projects and put their results in a specific workspace. When you create a new workspace, you can set up at least one agent for that workspace to scan projects into that workspace.

For organizations that want to minimize setup for new workspaces, Veracode offers agents at the organization level. One organization agent can scan into any workspace. You simply identify which workspace at scan time using a flag, called a workplace slug, or an environment variable.

Workspace Agent Permissions

If you have the Security Lead role, you can manage any workspace agent.

If you have the Workspace Administrator, Workspace Editor, or Submitter role, you can manage agents for a specific workspace.

Organization-Level Agent Permissions

If you have the Security Lead role, you can create, view, update, and delete organization-level agents.

View Workspace Agents

You can also perform this task with the SCA Agent REST API.

To view agents in the Veracode Platform:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. In the Manage Workspace menu, click Agents.

View Organization-Level Agents

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Click Agent-Based Scan Settings > Agents.

Creating Agents

You can also perform this task with the SCA Agent REST API.

To create agents in the Veracode Platform:

  1. Navigate to the Agents page at either the workspace or organization level.
  2. Click Actions > Create.
  3. Choose your desktop operating system or CI.
  4. For desktop operating systems:
    1. Install the agent.
      • Choose the tab showing your preferred method of installation for your OS type (curl, apt-get, yum, homebrew).
      • Open a terminal window and follow the instructions to install the agent.
    2. Activate the agent.
      • Copy the command to activate the agent and paste it in your terminal.
      • Copy the activate token and paste it in your terminal.
      • After entering your activation token, the Create action creates the agent.yml configuration file and adds it to the ~/.srcclr folder. If this file already exists. you are prompted to enter a profile name. This profile name allows you to choose which token to use when scanning.
        • For workspace agents, Veracode's suggested naming scheme is the workspace name which the token is associated with.
        • For organization-level agents, Veracode recommends that, if you plan on creating more than agent one to use with different teams or workspaces, you indicate that in the profile name.
    3. Verify the agent.
      • Run one of these commands to see if you can scan a specific package manager:
        ## Ant
        srcclr test --ant
        
        ## Bower
        srcclr test --bower
        
        ## Cocoapods
        srcclr test --cocoapods
        
        ## Composer
        srcclr test --composer
        
        ## Glide
        srcclr test --glide
        
        ## Go Get
        srcclr test --go
        
        ## Godep
        srcclr test --godep
        
        ## Govendor
        srcclr test --govendor
        
        ## Gradle
        srcclr test --gradle
        
        ## Ivy
        srcclr test --ivy
        
        ## Maven
        srcclr test --maven
        
        ## NPM
        srcclr test --npm
        
        ## Python
        srcclr test --pip
        
        ## Ruby Gems
        srcclr test --gem
        
        ## SBT
        srcclr test --sbt
        
        ## Trash
        srcclr test --trash
        
        ## Yarn
        srcclr test --yarn
        
        ## Nuget
        srcclr test --nuget

Scanning with an Organization-Level Agent for Desktop Operating Systems

When scanning with an organization-level agent, append the workspace flag and slug after the scan command:

srcclr scan --ws=<workspace slug>

To find the workspace slug, select the desired workspace from the menu and copy the slug from the field below.

The workspace slug can also be found in the URL of the workspace when you are on any workspace page.

Scanning with an Organization-Level Agent for Desktop Operating Systems Using CI

For organization-level agents, follow the workspace agent instructions, but also add the environment variable SRCCLR_WORKSPACE_SLUG to the appropriate config file. The value of this variable is the same as above.

Renaming and Deleting Agents

To rename an agent in the Veracode Platform:
  1. Navigate to the Agents page at either the workspace or organization level.
  2. Select an agent.
  3. Click the pencil icon.
  4. Enter the new agent name.
  5. Click Save.
You can also perform this task with the SCA Agent REST API.
To delete an agent in the Veracode Platform:
  1. Navigate to the Agents page at either the workspace or organization level.
  2. Select an agent.
  3. Click the trash can icon.
  4. Click Delete Agent.
Deleting agents cannot be undone. When you delete an agent, any subsequent scans using the token for that agent will fail.

Regenerating the Agent Token

To connect to your organization during scanning, Veracode SCA uses an agent auth token which acts as a password.

If another user gets access to your token, that person will be able to use the Veracode SCA agent as if they were you. For workspace agent tokens, they can scan into the workspace linked to that agent, which taints your data. For organization-level agent tokens, if they can identify a workspace in your organization, they can scan into that workspace. Keep your token private.

You may want to regenerate this token if you believe it was compromised. Regenerating a token will invalidate the old token. Any agents using this token will no longer be able to scan.

You can also perform this task with the SCA Agent REST API.
To regenerate the token in the Veracode Platform:
  1. Navigate to the Agents page at either the workspace or organization level.
  2. Select an agent.
  3. Click Regenerate Token.

    A new token displays. If you close the page, the token disappears and you must generate it again.

  4. Copy this token and paste it into the relevant configuration file.
  5. Update your environment variables with the new token.