Setting up agent-based scans
Requirements
Your environment must meet these requirements:
- One of these operating systems:
- macOS
- Windows 7 or later with Powershell 3 or later
- 64-bit version of one of these Linux distributions:
- Alpine 3.11 or later
- Debian 9 or later
- Ubuntu 18.04 or later
- Fedora 19 or later
- RHEL/CentOS 7 or later
- Outbound connections to the Veracode SCA URLs.
- Your client supports TLS 1.2 or later and one of the following ciphers:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- Git 1.9.3 or later
- If you are not using a Git-based repository, you need to set up the appropriate environment variables as described in Use the Agent with an SCM Other than Git.
- Java 17 or higher for scanning with the agent-based scanning command-line interface. The SCA agent is able to scan code written for Java 8 or above.
- If your Veracode account is in the United States Federal Region, your environment must meet the following additional requirements in order to avoid conflicts with the third-party plugin from Bouncy Castle that the SCA agent uses to enforce FIPS-compliant connections (BCFIPS). Failure to adhere to these requirements may result in handshake errors between the SCA agent and the Veracode Platform:
- To ensure BCFIPS has access to sufficient entropy to generate high-quality keys, Veracode recommends you make sure the execution environment has a hardware random number generator (RNG) activated. If not, your operating system’s kernel, in both hosts and containers, must have sufficient entropy allocated. See this example of increasing system entropy on RHEL CentOS 6 and 7.
- Do not run the SCA agent behind a proxy server.
- Contact your IT administrator to ensure that you have added the outbound connections to the Veracode SCA URLs to the allowlists in the systems that utilize Deep Pack Inspection (DPI), such as DPI firewalls, DPI data loss prevention systems, intrusion detection systems, and intrusion prevention systems. If not, these systems may interfere with BCFIPS.
Scanning a repository that uses Java and one of its build or package managers requires the ability to build the code within the environment in which you scan the project.