Using the agent-based scanning CI script
You can add commands and environment variables to the script in your continuous integration tool to customize your Veracode Software Composition Analysis agent-based scans.
For all CI scripts, you must set the SRCCLR_API_TOKEN
environment variable to successfully authenticate for scanning.
Custom Veracode SCA agent commands
The default functionality of the CI script used in the curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
command is to run the srcclr scan
agent command in the current directory. Users can optionally specify their own custom command by appending -s -- {agent_commands}
to the curl command. These examples use customized agent-based scanning commands with the CI script:
The CLI equivalent of:
srcclr test --maven
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s -- test --maven
The CLI equivalent of:
srcclr scan --url https://github.com/veracode/example-ruby --no-upload
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh -s -- scan --url https://github.com/veracode/example-ruby --no-upload
Environment variables
You can use these environment variables in the scanning environment to enable various features when scanning in your development pipeline with this shell command: curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
.
DEBUG
Description: When enabled, provides more verbose output during the scan. The default is 0
, which disables the variable.
Possible Values: 0
to disable, 1
to enable
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | DEBUG=1 sh
OR
export DEBUG=1
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
NOCACHE
Description: When enabled, the Veracode SCA agent is not cached when the curl command is run. The default is 0
, which disables the variable.
Possible Values: 0
to disable, 1
to enable
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | NOCACHE=1 sh
OR
export NOCACHE=1
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
CACHE_DIR
Description: Allows the user to specify which directory location to store the Veracode SCA agent. The default value for this is the /tmp
directory.
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | CACHE_DIR="/home/applications" sh
OR
export CACHE_DIR="/home/applications"
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
NOSCAN
Description: When enabled, the Veracode SCA agent does not perform a scan on the repository. The default is 0
, which disables the variable.
Possible Values: 0
to disable, 1
to enable
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | NOSCAN=1 sh
OR
export NOSCAN=1
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
SCAN_DIR
Description: Allows the user to specify which directory location to scan. The default value for is the directory from which the curl command runs.
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | SCAN_DIR="./path/to/dir" sh
OR
export SCAN_DIR="./path/to/dir"
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
SRCCLR_CI_JSON
Description: When enabled, the Veracode SCA agent outputs the scan results in JSON format. The default is 0
, which disables the variable.
Possible Values: 0
to disable, 1
to enable
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | SRCCLR_CI_JSON=1 sh
OR
export SRCCLR_CI_JSON=1
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh
CUSTOM_JRE_DIR
Description: Allows the user to specify which JRE to use for the Veracode SCA agent. The default functionality for agent-based scanning is to provide supported JREs for both Debian-based and OS X operating systems. Specifying this value enables other operating systems to utilize agent-based scanning.
Example:
curl -sSL https://sca-downloads.veracode.com/ci.sh | CUSTOM_JRE_DIR=/opt/jdk/jre/lib/amd64 sh
OR
export CUSTOM_JRE_DIR=/opt/jdk/jre/lib/amd64
curl -sSL https://sca-downloads.veracode.com/ci.sh | sh