Skip to main content

Set up the agent-based scanning Gradle plugin

The Veracode Software Composition Analysis agent-based scanning Gradle plugin allows you to automate the scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.

Before you begin:

Ensure you have the latest version of the plugin. To install the latest version, search for SourceClear in the Gradle plugin portal and follow the onscreen instructions.

To support Spring Boot, you must have a version that is earlier than Spring Boot 3.3.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select a workspace.

  4. Select Agents > Actions > Create > Gradle.

  5. Select Create Agent & Generate Token.

  6. Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your build.gradle file:

    • To set your environment variable, run:

      export SRCCLR_API_TOKEN={apiToken}

    • Add the following code to your build.gradle file. For multi-project Gradle builds, Veracode recommends you apply these changes only to the root build.gradle file to avoid potentially overriding scan results from the different projects. Do not apply the plugin in the allprojects or subprojects section of the build file.

                  //For Gradle 2.2.0 or higher
                                  ...

                                  plugins {
                                  id "com.srcclr.gradle" version "{Insert latest version}"
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }
                              
                  //For Gradle before 2.2.0
                                  //Add gradle plugin location
                                  buildscript {
                                  repositories {
                                  maven {
                                  url "https://plugins.gradle.org/m2/"
                                  }
                                  }
                                  }
                                  //Add 'classpath("com.srcclr:gradle:{insert version number}")'  to your dependencies

                                  buildscript {
                                  ...
                                  dependencies {
                                  classpath "gradle.plugin.com.srcclr:gradle:<insert version number>"
                                  }
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }

  7. Optionally, add additional configuration options.

  8. Save the build.gradle file. You can run the agent-based scanning plugin during your build by adding the srcclr argument to the gradlew command.

  9. To perform dependency resolution and build class files, which are the minimum requirements for vulnerable method analysis, run this command:

    ./gradlew srcclr

  10. For larger builds, you can run this command:

    ./gradlew clean build srcclr
Last updated on