Skip to main content

veracode scan

Performs a scan of a local or remote container.

After the first scan, the Veracode CLI caches the vulnerability databases to improve performance in future scans. The CLI stores the cached data in the tmp directory on your machine.

If you want to run container security scanning in a Docker container, ensure you have installed a package containing compatibility libraries for glibc, such as libc6-compat.


./veracode scan --type <string> --source <string> [flags]


-f, --formatOutput format for the scan results. Enter one of the following values:
json: JSON that uses the Syft JSON schema. See example JSON findings.
cyclonedx: an XML report that conforms to the CycloneDX 1.2 specification.
table: a columnar summary.
-h, --helpReturn help content for veracode scan.
-o, --outputPrint output to specified file. If not provided, output is printed to STDOUT.
-s, --sourceLocation of the scan source for the target type.
--typeThe target type. Enter one of the following values:
image: identifies a container image as the target. The following base image operating systems are supported:
 - Alpine Linux
 - Amazon Linux
 - CentOS
 - Debian
 - GitLab BusyBox and Distroless
 - Oracle Linux
 - Red Hat Enterprise Linux
 - Ubuntu
repo: identifies a repository as the target.
archive: identifies an archive as the target.
directory: identifies a directory as the target.


To use an image as the source, run:

./veracode scan --source alpine:latest --type image

To use a directory as the source, run:

./veracode scan --source path/to/directory/or/file --type directory

To use a repository as the source, run:

./veracode scan --source --type repo


The Veracode CLI provides limited scan output for Gradle projects that have not been built.