Skip to main content

.NET SCA agent-based scanning

You can find vulnerabilities in your .NET repositories using Veracode Software Composition Analysis agent-based scanning. You can run a scan on .NET repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging .NET Applications.

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone    

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. Some scan directives are specific to .NET projects.

Before you begin:

Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the .NET repository.
  • Have .NET, NuGet CLI, or MSBuild installed.
  • Have CSPROJ, FSPROJ , or VBPROJ files present in the repository.
  • Use the PackageReference format to declare NuGet dependencies in PROJ files.
  • If project.assets.json files do not exist in the project directory tree, you must be able to run the nuget restore {path}, dotnet restore {path}, or msbuild /restore:true {path} command, where {path} is an absolute or relative path to an SLN or a PROJ file, from the project root.

For .NET Framework repositories that rely on the packages.config format to declare NuGet dependencies, consider converting the project to use the supported PackageReference format for best compatibility. For more information, see Migrate from packages.config to PackageReference.

To complete this task:

  1. Run the scan command with the Veracode SCA CLI agent pointed to the directory of the .NET repository. For example:

    srcclr scan path/to/{project_folder}

    To scan code repositories hosted in Git, use the --url argument with the CLI agent.

    To view more verbose output during the scan process, you can add the --loud argument:

    srcclr scan path/to/{project_folder} --loud


The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.