Integrate Veracode SCA agent-based scanning with your CI projects
You can integrate Veracode Software Composition Analysis agent-based scanning into most continuous integration (CI) systems. The integration requires you to create an agent, then add the agent token and scan command to your CI project.
These instructions can apply to most CI systems. Specific instructions are available for Bamboo, Bitbucket, CircleCI, Codeship, GitLab, Jenkins, Travis CI, Gradle, and Maven.
By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.
Before you begin:
- You have the Security Lead, Submitter, Workspace Administrator, or Workspace Editor role.
- Contact your IT department to confirm your client meets the requirements for setting up agent-based scans.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Click the Agent-Based Scan tab.
-
Select a workspace.
-
Click Agents > Actions > Create.
-
Select any option from the Integration Options section.
The option you select does not affect the agent or your scan results.
-
Click Create Agent & Generate Token.
-
In your CI project, store your agent token as a secret environment variable called
SRCCLR_API_TOKEN
.See the documentation for your CI system for instructions on setting secret environment variables.
-
If your Veracode account is in the Commercial Region, skip this step. If your Veracode account is in the European or United States Federal Region, set the
SRCCLR_REGION
environment variable to one of the following:- European Region:
ER
- United States Federal Region:
FED
- European Region:
-
Add this command to your CI project to download the agent and start scanning:
curl -sSL https://download.sourceclear.com/ci.sh | sh
For example, in GitLab, add the command after the
after_script
step in the.gitlab-ci.yml
file.You can customize this command to enable additional features of agent-based scanning.