veracode scan
Performs a scan of a local or remote container.
After the first scan, the Veracode CLI caches the vulnerability databases to improve performance in future scans. The CLI stores the cached data in the tmp directory on your machine.
If you want to run container security scanning in a Docker container, ensure you have installed a package containing compatibility libraries for glibc, such as libc6-compat.
Usage
./veracode scan --type <string> --source <string> [flags]
Flags
| Flag | Description |
|---|---|
-f, --format | Output format for the scan results. Enter one of the following values:json: JSON that uses the Syft JSON schema. See example JSON findings.cyclonedx: an XML report that conforms to the CycloneDX 1.6 specification.table: a columnar summary. |
-h, --help | Show help for this command. |
--no-cache | Do not cache data from the scan. |
-o, --output | Print output to specified file. If not provided, output is printed to STDOUT. |
-s, --source | Location of the scan source for the target type. |
--type | The target type. Enter one of the following values:image: identifies a container image as the target. The following base image operating systems are supported:- Alpine Linux - Amazon Linux - CentOS - Debian - GitLab BusyBox and Distroless - Oracle Linux - Red Hat Enterprise Linux - Ubuntu repo: identifies a repository as the target.archive: identifies an archive as the target.directory: identifies a directory as the target. |
-v, --verbose | Display verbose output. |
Examples
To use an image as the source, run:
./veracode scan --source alpine:latest --type image
To use a directory as the source, run:
./veracode scan --source path/to/directory/or/file --type directory
To use a repository as the source, run:
./veracode scan --source https://github.com/veracode/veracode-sca --type repo
Limitations
The Veracode CLI provides limited scan output for Gradle projects that have not been built.