Skip to main content

veracode scan

Perform a scan of a local or remote container.

After the first scan, the Veracode CLI caches the vulnerability databases to improve performance in future scans. The CLI stores the cached data in the tmp directory on your machine.

If you want to run container security scanning in a Docker container, ensure you have installed a package containing compatibility libraries for glibc, such as libc6-compat.


./veracode scan --type {target type} --source {source} {flags}

Target Type

  • image: identifies a container image as the target. Veracode supports the following base image operating systems:
    • Alpine Linux
    • Amazon Linux
    • CBL-Mariner Linux
    • CentOS
    • Debian
    • GitLab BusyBox and Distroless
    • Oracle Linux
    • Red Hat Enterprise Linux
    • Ubuntu
  • repo: identifies a repository as the target.
  • archive: identifies an archive as the target.
  • directory: identifies a directory as the target.


  • f, --format: format in which to output the scan results. Enter one of the following values:

    jsonDefault value. JSON that uses the Syft JSON schema. See example JSON findings.
    cyclonedxAn XML report conforming to the CycloneDX 1.2 specification.
    tableA columnar summary. See example table findings.
  • -h, --help: return help content for veracode scan.

  • -o, --output: print output to specified file. If not provided, output is printed to STDOUT.

  • -s, --source: location of the scan source for the target type.


  • Image source: ./veracode scan --source alpine:latest --type image

  • Directory source: ./veracode scan --source path/to/directory/or/file --type directory

  • Repository source: ./veracode scan --source --type repo


The Veracode CLI provides limited scan output for Gradle projects that have not been built.