Set up the agent-based scanning Maven plugin
The Veracode Software Composition Analysis (SCA) agent-based scanning Maven plugin allows you to automate the scanning of your Maven repositories. You can upload the results of plugin scans to Veracode for a specific organization or to your personal environment.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Select Agent-Based Scan.
-
Select a workspace.
-
Select Agents > Actions > Create > Maven.
-
Select Create Agent & Generate Token.
-
Choose to set your API token as an environment variable in the environment where you build your Maven repository, or add the token directly to the configuration within your
pom.xml
file:-
Environment Configuration:
-
Run this command to set your API token to the
SRCCLR_API_TOKEN
environment variable:export SRCCLR_API_TOKEN={apiToken}
If your shell supports it, you may want to prefix the command with a space to avoid leaving the token in your shell history.
-
Run this command in the root of your Maven project to start a scan:
mvn clean compile com.srcclr:srcclr-maven-plugin:scan
-
-
pom.xml
Configuration:- Add this code to your
pom.xml
file in the root directory:
<build>
<plugins>
<plugin>
<groupId>com.srcclr</groupId>
<artifactId>srcclr-maven-plugin</artifactId>
<version><!-- Insert latest version --></version>
<configuration>
<!--- Add configuration details here-->
<apiToken>OptionallyEnterUserTokenHere</apiToken>
</configuration>
<executions>
<execution>
<id>srcclr-scan</id>
<phase>verify</phase>
<goals>
<goal>scan</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>- Save the
pom.xml
file. The agent-based scanning plugin automatically runs when you run any Maven lifecycle phase that executes afterverify
, such asinstall
ordeploy
.
- Add this code to your
-