Run an agent-based scan for Yarn
You can use agent-based scanning to scan Yarn projects but not Yarn workspaces. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-javascript-yarn
After you add a srcclr.yml
file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Yarn code. The scope
directive requires Yarn-specific configurations.
Before you begin:
- Meet the requirements for the Veracode SCA agent.
- Have access to the Yarn repository.
- Have NPM 2.10.0 or later installed on the local path.
- Include the
yarn.lock
file in the repository to scan. - Include the
package.json
file in the repository to scan, in the same directory as theyarn.lock
file. - Have Yarn installed through NPM and located on the local path.
The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:
node -e var fs= require('fs'); \
var parse= require('../lib/lockfile/parse.js').default; \
var contents= fs.readFileSync('/path/to/example-javascript-yarn/yarn.lock', 'utf8'); \
console.log(JSON.stringify(parse(contents)));
To complete this task:
-
Run the scan command with the Veracode SCA CLI agent pointed to the directory of the Yarn repository. For example:
srcclr scan path/to/{project_folder}
noteTo scan code repositories hosted in Git, use the
--url
argument with the CLI agent.To view more verbose output during the scan process, you can add the
--loud
argument:srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.