Configure agent for automatic pull requests

You configure parameters of automatic pull requests in your Veracode Software Composition Analysis agent.

Before you begin:

• Enable pull requests for GitHub or GitLab.
• Enable the update advisor.
• Work in a supported project.

To complete this task:

1. Set the relevant scan directives in your shell or automation script to configure the parameters that determine when to generate the pull requests. You can set the directives in two ways:

   • As environment variables in your CI/CD settings, with SRCCLR_appended to the directive names. For example:

     export SRCCLR_PR_ON=methods
     export SRCCLR_NO_BREAKING_UPDATES=true
     export SRCCLR_IGNORE_CLOSED_PRS=false
     export SRCCLR_SCM_URL=https://gitlab.acme.io
     EXTRA_ARGS='--update-advisor --pull-request'

   • As directives in the srcclr.yml file of your agent-based scanning project. For example:

     pr_on: methods
     no_breaking_updates: true
     ignore_closed_prs: false
   note

   If configured in both files, the environment variables override the srcclr.yml directives.

After you complete the configuration, your Veracode SCA agent can generate pull requests when the scan results meet the specified parameters. You can review and approve the pull request in your GitHub or GitLab project.

Next steps:

For a more effective integration with your CI pipeline, Veracode recommends you customize the automatic pull request behavior in your pipeline job, such as the following example in GitLab:

sourceclear:
  stage: security
  variables:
    SRCCLR_API_TOKEN: ${SRCCLR_API_TOKEN}
  script:
    - |
      if [[ $CI_BUILD_REF_NAME = master ]]; then
 
        # Set up ssh-agent
        which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
        eval $(ssh-agent -s)
        echo "$SSH_PRIVATE_KEY" | base64 --decode | ssh-add - > /dev/null
        mkdir -p ~/.ssh
        chmod 700 ~/.ssh
        [[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
        git config --global user.email "[email protected]"
        git config --global user.name "user"
 
        # We want the PR to target the master branch
        git checkout -b master
 
        # GitLab doesn't set a remote either
        git remote set-url origin "[email protected]:$CI_PROJECT_PATH.git"

        EXTRA_ARGS='--update-advisor --pull-request'
 
        export SRCCLR_SCM_TOKEN="$GITLAB_TOKEN"
        export SRCCLR_SCM_TYPE=GITLAB
        export SRCCLR_SCM_URL='https://git.mycompany.com'
      fi
    - VERBOSE=true curl -sSL https://download.sourceclear.com/ci.sh | sh -s -- scan $EXTRA_ARGS