Install the Veracode SCA CLI Agent

Veracode Software Composition Analysis

By default, the agent you create is not visible to team members. To allow visibility, you must go to the agent page and select a team from the Teams menu. This selection allows members of the selected team to view the agent information.

To set up the Veracode Software Composition Analysis agent for your desktop:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Click the Agent-Based Scan tab.
  3. Select a workspace.
  4. Click Agents > Actions > Create.
  5. On the Set Up Scanner page, select the operating system for your agent.
  6. Open a terminal window from your desktop and copy one of the commands from the Choose install option section depending on your preferred method of installation:
    • cURL:
      curl -sSL | sh
    • apt-get:
      curl -sSL '' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
      echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
      sudo apt-get update
      sudo apt-get install srcclr                    
    • Add the agent-based scanning repository to your list of YUM repositories by creating a file /etc/yum.repos.d/SRCCLR.repo with the following contents:
       [SourceClear] name=SourceClear baseurl= 
       enabled=1 gpgcheck=1 gpgkey=
      Update and install:
      sudo yum update sudo yum install srcclr 
      Note: When you run this command for the first time, you are prompted to accept the GPG key.
    • APK (Alpine):
      sudo sh -c 'echo >> /etc/apk/repositories'
      sudo wget -P /etc/apk/keys[email protected]
      sudo apk add srcclr
    • Homebrew:
      brew tap srcclr/srcclr
      brew install srcclr
    • Chocolatey:
      choco install srcclr
  7. From the Command Line Interface page in the Veracode Platform, copy the activation token under the srcclr activate command.
  8. Perform this command from the agent server:
    srcclr activate
  9. Paste the token you copied into your terminal and press Enter.
    After entering your activation token, your agent.yml configuration file is installed to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace with which the token is associated.
  10. Verify your installation by running one of the following commands to check if you can scan that package manager:
    ## Ant
    srcclr test --ant
    ## Bower
    srcclr test --bower
    ## Cocoapods
    srcclr test --cocoapods
    ## Composer
    srcclr test --composer
    ## Glide
    srcclr test --glide
    ## Go Get
    srcclr test --go
    ## Godep
    srcclr test --godep
    ## Govendor
    srcclr test --govendor
    ## Gradle
    srcclr test --gradle
    ## Ivy
    srcclr test --ivy
    ## Maven
    srcclr test --maven
    ## NPM
    srcclr test --npm
    ## Python
    srcclr test --pip
    ## Ruby Gems
    srcclr test --gem
    ## SBT
    srcclr test --sbt
    ## Trash
    srcclr test --trash
    ## Yarn
    srcclr test --yarn
    ## Nuget
    srcclr test --nuget

If the CLI installs successfully, you can view all of the tests with a result of PASSED.