Skip to main content

Ruby SCA agent-based scanning

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone   

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Ruby code. Some scan directives are specific to Ruby projects.

You can find vulnerabilities in your Ruby applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Ruby Gem repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging Ruby on Rails applications.

Before you begin:

Scanning a repository that uses Ruby and one of its build or package managers requires the ability to build the code within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Ruby repository.
  • Have Ruby installed on your local path.
  • Include Gemfile in the repository that you plan to scan.
  • If Gemfile.lock does not exist in the project root where you perform scans, you must be able to run the bundle install command from this project root.
  • Have Bundler 1.1.0 or later installed on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

bundle install --path vendor/bundle

Scanning vulnerable methods requires Ruby 2.x or later.

To complete this task:

  1. Run the scan command with the Veracode SCA CLI agent pointed to the directory of the Ruby repository. For example:

    srcclr scan path/to/{project_folder}

    To scan code repositories hosted in Git, use the --url argument with the CLI agent.

    To view more verbose output during the scan process, you can add the --loud argument:

    srcclr scan path/to/{project_folder} --loud


The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.