Configure Agent for Automatic Pull Requests

Veracode Software Composition Analysis

You configure parameters of automatic pull requests in your Veracode Software Composition Analysis agent.

To enable automatic pull requests:

To configure automatic pull requests to be part of your scan process:

Set the relevant scan directives in your shell or automation script to configure the parameters that determine when to generate the pull requests. You can set the directives in two ways:
  • As environment variables in your CI/CD settings, with SRCCLR_ appended to the directive names. For example:
    export SRCCLR_PR_ON=methods
    export SRCCLR_SCM_URL=
    EXTRA_ARGS='--update-advisor --pull-request'
  • As directives in the srcclr.yml file of your agent-based scanning project. For example:
    pr_on: methods
    no_breaking_updates: true
    ignore_closed_prs: false
    Note: If configured in both files, the environment variables override the srcclr.yml directives.
After you complete the configuration, your Veracode SCA agent can generate pull requests when the scan results meet the specified parameters. You can review and approve the pull request in your GitHub or GitLab project.

automatic PR github example
For a more effective integration with your CI pipeline, Veracode recommends you customize the automatic pull request behavior in your pipeline job, such as the following example in GitLab:
  stage: security
    - |
      if [[ $CI_BUILD_REF_NAME = master ]]; then
        # Set up ssh-agent
        which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
        eval $(ssh-agent -s)
        echo "$SSH_PRIVATE_KEY" | base64 --decode | ssh-add - > /dev/null
        mkdir -p ~/.ssh
        chmod 700 ~/.ssh
        [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
        git config --global "[email protected]"
        git config --global "user"
        # We want the PR to target the master branch
        git checkout -b master
        # GitLab doesn't set a remote either
        git remote set-url origin "[email protected]:$CI_PROJECT_PATH.git"

        EXTRA_ARGS='--update-advisor --pull-request'
        export SRCCLR_SCM_URL=''
    - VERBOSE=true curl -sSL | sh -s -- scan $EXTRA_ARGS