Skip to main content

Configure agent for automatic pull requests

You configure parameters of automatic pull requests in your Veracode Software Composition Analysis agent.

Before you begin:

To complete this task:

  1. Set the relevant scan directives in your shell or automation script to configure the parameters that determine when to generate the pull requests. You can set the directives in two ways:

    • As environment variables in your CI/CD settings, with SRCCLR_appended to the directive names. For example:

      export SRCCLR_PR_ON=methods
      export SRCCLR_IGNORE_CLOSED_PRS=false
      export SRCCLR_SCM_URL=
      EXTRA_ARGS='--update-advisor --pull-request'
    • As directives in the srcclr.yml file of your agent-based scanning project. For example:

      pr_on: methods
      no_breaking_updates: true
      ignore_closed_prs: false

    If configured in both files, the environment variables override the srcclr.yml directives.

After you complete the configuration, your Veracode SCA agent can generate pull requests when the scan results meet the specified parameters. You can review and approve the pull request in your GitHub or GitLab project.

Next steps:

For a more effective integration with your CI pipeline, Veracode recommends you customize the automatic pull request behavior in your pipeline job, such as the following example in GitLab:

stage: security
- |
if [[ $CI_BUILD_REF_NAME = master ]]; then

# Set up ssh-agent
which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
eval $(ssh-agent -s)
echo "$SSH_PRIVATE_KEY" | base64 --decode | ssh-add - > /dev/null
mkdir -p ~/.ssh
chmod 700 ~/.ssh
[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
git config --global "[email protected]"
git config --global "user"

# We want the PR to target the master branch
git checkout -b master

# GitLab doesn't set a remote either
git remote set-url origin "[email protected]:$CI_PROJECT_PATH.git"

EXTRA_ARGS='--update-advisor --pull-request'

export SRCCLR_SCM_URL=''
- VERBOSE=true curl -sSL | sh -s -- scan $EXTRA_ARGS