Skip to main content

Install the Veracode SCA CLI agent

By default, the agent you create is not visible to team members. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Click the Agent-Based Scan tab.

  3. Select a workspace.

  4. Click Agents > Actions > Create.

  5. On the Set Up Scanner page, select the operating system for your agent.

  6. Open a terminal window from your desktop and copy one of the commands from the Choose install option section, depending on your preferred method of installation:

    • cURL:

      curl -sSL | sh
    • apt-get:

      curl -sSL '' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
      echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
      sudo apt-get update
      sudo apt-get install srcclr
    • Add the agent-based scanning repository to your list of YUM repositories by creating a file /etc/yum.repos.d/SRCCLR.repo with this content:

       [SourceClear] name=SourceClear baseurl=
      enabled=1 gpgcheck=1 gpgkey=

      Update and install:

      sudo yum update sudo yum install srcclr

      When you run this command for the first time, you are prompted to accept the GPG key.

    • APK (Alpine):

      sudo sh -c 'echo >> /etc/apk/repositories'
      sudo wget -P /etc/apk/keys[email protected]
      sudo apk add srcclr
    • Homebrew:

      brew tap veracode/srcclr
      brew install srcclr
    • Homebrew (if you have previously installed version 3.8.30 or earlier of the Veracode SCA agent):

      brew uninstall srcclr
      brew untap srcclr/srcclr
      brew tap veracode/srcclr
      brew install srcclr
    • Chocolatey:

      choco install srcclr
  7. From the Command Line Interface page in the Veracode Platform, copy the activation token under the srcclr activate command.

  8. Run the activate command for your region from the agent server:

    • Commercial Region: srcclr activate
    • European Region: srcclr activate --region ER
    • United States Federal Region: srcclr activate --region FED
  9. Paste the token you copied into your terminal and press Enter.

    After entering your activation token, your agent.yml configuration file installs to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace associated with the token.

  10. To verify your agent installation, run one of the following commands to ensure you scan the package manager:

    • Ant: srcclr test --ant
    • Bower: srcclr test --bower
    • Cocoapods: srcclr test --cocoapods
    • Composer: srcclr test --composer
    • Glide: srcclr test --glide
    • Go Get: srcclr test --go
    • Godep: srcclr test --godep
    • Govendor: srcclr test --govendor
    • Gradle: srcclr test --gradle
    • Ivy: srcclr test --ivy
    • Maven: srcclr test --maven
    • NPM: srcclr test --npm
    • Python: srcclr test --pip
    • Ruby Gems: srcclr test --gem
    • SBT: srcclr test --sbt
    • Trash: srcclr test --trash
    • Yarn: srcclr test --yarn
    • Nuget: srcclr test --nuget


If the CLI installs successfully, you can view all the tests with a result of PASSED.