You configure parameters of automatic pull requests in your Veracode Software Composition Analysis agent.
To enable automatic pull requests:
- Enable pull requests for GitHub or GitLab.
- Enable the update advisor.
- Work in a supported project.
To configure automatic pull requests to be part of your scan process:
Set the relevant scan
directives in your shell or automation script to configure the
parameters that determine when to generate the pull requests. You can set the
directives in two ways:
- As environment variables in your CI/CD settings, with SRCCLR_
appended to the directive names. For
example:
export SRCCLR_PR_ON=methods export SRCCLR_NO_BREAKING_UPDATES=true export SRCCLR_IGNORE_CLOSED_PRS=false export SRCCLR_SCM_URL=https://gitlab.acme.io EXTRA_ARGS='--update-advisor --pull-request'
- As directives in the srcclr.yml file of your agent-based scanning project. For
example:
pr_on: methods no_breaking_updates: true ignore_closed_prs: false
Note: If configured in both files, the environment variables override the srcclr.yml directives.
After you complete the configuration, your Veracode SCA
agent can generate pull requests when the scan results meet the specified
parameters. You can review and approve the pull request in your GitHub or GitLab project.

For a more effective integration with your CI pipeline,
Veracode recommends you customize the automatic pull request behavior in your pipeline
job, such as the following example in GitLab:
sourceclear: stage: security variables: SRCCLR_API_TOKEN: ${SRCCLR_API_TOKEN} script: - | if [[ $CI_BUILD_REF_NAME = master ]]; then # Set up ssh-agent which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y ) eval $(ssh-agent -s) echo "$SSH_PRIVATE_KEY" | base64 --decode | ssh-add - > /dev/null mkdir -p ~/.ssh chmod 700 ~/.ssh [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config git config --global user.email "[email protected]" git config --global user.name "user" # We want the PR to target the master branch git checkout -b master # GitLab doesn't set a remote either git remote set-url origin "[email protected]:$CI_PROJECT_PATH.git" EXTRA_ARGS='--update-advisor --pull-request' export SRCCLR_SCM_TOKEN="$GITLAB_TOKEN" export SRCCLR_SCM_TYPE=GITLAB export SRCCLR_SCM_URL='https://git.mycompany.com' fi - VERBOSE=true curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan $EXTRA_ARGS