veracode scan
Perform a scan of a local or remote container.
After the first scan, the Veracode CLI caches the vulnerability databases to improve performance in future scans. The CLI stores the cached data in the tmp
directory on your machine.
If you want to run container security scanning in a Docker container, ensure you have installed a package containing compatibility libraries for glibc
, such as libc6-compat
.
Usage
./veracode scan --type {target type} --source {source} {flags}
Target Type
image
: identifies a container image as the target. Veracode supports the following base image operating systems:- Alpine Linux
- Amazon Linux
- CBL-Mariner Linux
- CentOS
- Debian
- GitLab BusyBox and Distroless
- Oracle Linux
- Red Hat Enterprise Linux
- Ubuntu
repo
: identifies a repository as the target.archive
: identifies an archive as the target.directory
: identifies a directory as the target.
Flags
f
,--format
: format in which to output the scan results. Enter one of the following values:Format Description json
Default value. JSON that uses the Syft JSON schema. See example JSON findings. cyclonedx
An XML report conforming to the CycloneDX 1.2 specification. table
A columnar summary. See example table findings. -h
,--help
: return help content forveracode scan
.-o
,--output
: print output to specified file. If not provided, output is printed to STDOUT.-s
,--source
: location of the scan source for the target type.
Examples
Image source:
./veracode scan --source alpine:latest --type image
Directory source:
./veracode scan --source path/to/directory/or/file --type directory
Repository source:
./veracode scan --source https://github.com/veracode/veracode-sca --type repo
Limitation
The Veracode CLI provides limited scan output for Gradle projects that have not been built.