veracode scan
Perform a scan of a local or remote container.
After the first scan, the Veracode CLI caches the vulnerability databases to improve performance in future scans. The CLI stores the cached data in the tmp directory on your machine.
Usage
./veracode scan --type {target type} --source {source} {flags}
Target Type
image: identifies a container image as the target. Veracode supports the following base image operating systems:- Alpine Linux
- Amazon Linux
- CentOS
- Debian
- GitLab BusyBox and Distroless
- Oracle Linux
- Red Hat Enterprise Linux
- Ubuntu
repo: identifies a repository as the target.archive: identifies an archive as the target.directory: identifies a directory as the target.
Flags
f,--format: format in which to output the scan results. Enter one of the following values:Format Description jsonDefault value. JSON that uses the Syft JSON schema. See example JSON findings. cyclonedxAn XML report conforming to the CycloneDX 1.2 specification. tableA columnar summary. See example table findings. -h,--help: return help content forveracode scan.-o,--output: print output to specified file. If not provided, output is printed to STDOUT.-s,--source: location of the scan source for the target type.
Examples
Image source:
./veracode scan --source alpine:latest --type imageDirectory source:
./veracode scan --source path/to/directory/or/file --type directoryRepository source:
./veracode scan --source https://github.com/veracode/veracode-sca --type repo
Limitation
The Veracode CLI provides limited scan output for Gradle projects that have not been built.