Python SCA agent-based scanning
You can find vulnerabilities in your Python applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Python repositories using the agent-based scanning command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging Python applications.
You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-python
After you add a srcclr.yml
file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Python code. Some scan directives are specific to Python projects.
Before you begin:
Scanning a repository that uses PyPi for package management requires the ability to assemble your libraries within the environment in which you scan the project. This includes these requirements:
- Meet the requirements for the Veracode SCA agent.
- Have access to the Python repository.
- Your code repository uses Python 2.x or 3.x.
- Have Python 2.x or 3.x installed in your path.
- Have pip version 10.0.0 or later installed in your path.
- Have one of these files in the repository to be scanned:
setup.py
,requirements.txt
,requirements-dev.txt
, ordev-requirements.txt
. - Be able to perform one of these installation tasks:
- Run the
pip install -r {requirement}
command, where{requirement}
is therequirements.txt
,requirements-dev.txt
, ordev-requirements.txt
file, from the root of the project where you perform scans. - Run the
python setup.py install
command.
- Run the
- For Pipenv, be able to run
pipenv sync
if thepipfile.lock
file is available, or be able to runpipenv install
if the file is not available. - Exclude optional dependencies from your requirements files or lock files to avoid false negative results.
To complete this task:
Run the scan command with the Veracode SCA CLI agent pointed to the directory of the Python repository. For example:
srcclr scan path/to/{project_folder}
To scan code repositories hosted in Git, use the --url
argument with the CLI agent.
To view more verbose output during the scan process, you can add the --loud
argument:
srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.