Install the Veracode SCA CLI agent
By default, the agent you create is not visible to team members. To allow visibility, invite teams to your workspace.
To complete this task:
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
Click the Agent-Based Scan tab.
Select a workspace.
Click Agents > Actions > Create.
On the Set Up Scanner page, select the operating system for your agent.
Open a terminal window from your desktop and copy one of the commands from the Choose install option section, depending on your preferred method of installation:
cURL:
curl -sSL https://download.sourceclear.com/install | sh
apt-get:
curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] https://download.sourceclear.com/ubuntu stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
sudo apt-get update
sudo apt-get install srcclrAdd the agent-based scanning repository to your list of YUM repositories by creating a file
/etc/yum.repos.d/SRCCLR.repo
with this content:[SourceClear] name=SourceClear baseurl=https://download.sourceclear.com/redhat/x86_64/
enabled=1 gpgcheck=1 gpgkey=https://download.sourceclear.com/redhat/SRCCLR-GPG-KEYUpdate and install:
sudo yum update sudo yum install srcclr
noteWhen you run this command for the first time, you are prompted to accept the GPG key.
APK (Alpine):
sudo sh -c 'echo https://download.sourceclear.com/alpine/main >> /etc/apk/repositories'
sudo wget -P /etc/apk/keys https://download.sourceclear.com/alpine/public-keys/[email protected]
sudo apk add srcclrHomebrew:
brew tap veracode/srcclr
brew install srcclrHomebrew (if you have previously installed version 3.8.30 or earlier of the Veracode SCA agent):
brew uninstall srcclr
brew untap srcclr/srcclr
brew tap veracode/srcclr
brew install srcclrChocolatey:
choco install srcclr
From the Command Line Interface page in the Veracode Platform, copy the activation token under the
srcclr activate
command.Run the
activate
command for your region from the agent server:- Commercial Region:
srcclr activate
- European Region:
srcclr activate --region ER
- United States Federal Region:
srcclr activate --region FED
- Commercial Region:
Paste the token you copied into your terminal and press Enter.
After entering your activation token, your
agent.yml
configuration file installs to the~/.srcclr
folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace associated with the token.To verify your agent installation, run one of the following commands to ensure you scan the package manager:
- Ant:
srcclr test --ant
- Bower:
srcclr test --bower
- Cocoapods:
srcclr test --cocoapods
- Composer:
srcclr test --composer
- Glide:
srcclr test --glide
- Go Get:
srcclr test --go
- Godep:
srcclr test --godep
- Govendor:
srcclr test --govendor
- Gradle:
srcclr test --gradle
- Ivy:
srcclr test --ivy
- Maven:
srcclr test --maven
- NPM:
srcclr test --npm
- Python:
srcclr test --pip
- Ruby Gems:
srcclr test --gem
- SBT:
srcclr test --sbt
- Trash:
srcclr test --trash
- Yarn:
srcclr test --yarn
- Nuget:
srcclr test --nuget
- Ant:
Results:
If the CLI installs successfully, you can view all the tests with a result of PASSED
.