Install the Veracode SCA CLI agent
By default, the agent you create is not visible to team members. To allow visibility, invite teams to your workspace.
To complete this task:
-
In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
-
Click the Agent-Based Scan tab.
-
Select a workspace.
-
Click Agents > Actions > Create.
-
On the Set Up Scanner page, select the operating system for your agent.
-
Open a terminal window from your desktop and copy one of the commands from the Choose install option section, depending on your preferred method of installation:
-
cURL:
curl -sSL https://download.sourceclear.com/install | sh
-
apt-get:
curl -sSL 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xdf7dd7a50b746dd4' | sudo gpg --dearmor -o /usr/share/keyrings/veracode-sca-archive.gpg
echo 'deb [signed-by=/usr/share/keyrings/veracode-sca-archive.gpg] https://download.sourceclear.com/ubuntu stable/' | sudo tee /etc/apt/sources.list.d/veracode-sca.list
sudo apt-get update
sudo apt-get install srcclr -
Add the agent-based scanning repository to your list of YUM repositories by creating a file
/etc/yum.repos.d/SRCCLR.repo
with this content:[SourceClear] name=SourceClear baseurl=https://download.sourceclear.com/redhat/x86_64/
enabled=1 gpgcheck=1 gpgkey=https://download.sourceclear.com/redhat/SRCCLR-GPG-KEYUpdate and install:
sudo yum update sudo yum install srcclr
noteWhen you run this command for the first time, you are prompted to accept the GPG key.
-
APK (Alpine):
sudo sh -c 'echo https://download.sourceclear.com/alpine/main >> /etc/apk/repositories'
sudo wget -P /etc/apk/keys https://download.sourceclear.com/alpine/public-keys/production@srcclr.com-5e266d90.rsa.pub
sudo apk add srcclr -
Homebrew:
brew tap veracode/srcclr
brew install srcclr -
Homebrew (if you have previously installed version 3.8.30 or earlier of the Veracode SCA agent):
brew uninstall srcclr
brew untap srcclr/srcclr
brew tap veracode/srcclr
brew install srcclr -
Chocolatey:
choco install srcclr
-
-
From the Command Line Interface page in the Veracode Platform, copy the activation token under the
srcclr activate
command. -
Run the
activate
command for your region from the agent server:- Commercial Region:
srcclr activate
- European Region:
srcclr activate --region ER
- United States Federal Region:
srcclr activate --region FED
- Commercial Region:
-
Paste the token you copied into your terminal and press Enter.
After entering your activation token, your
agent.yml
configuration file installs to the~/.srcclr
folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace associated with the token. -
To verify your agent installation, run one of the following commands to ensure you scan the package manager:
- Ant:
srcclr test --ant
- Bower:
srcclr test --bower
- Cocoapods:
srcclr test --cocoapods
- Composer:
srcclr test --composer
- Glide:
srcclr test --glide
- Go Get:
srcclr test --go
- Godep:
srcclr test --godep
- Govendor:
srcclr test --govendor
- Gradle:
srcclr test --gradle
- Ivy:
srcclr test --ivy
- Maven:
srcclr test --maven
- NPM:
srcclr test --npm
- Python:
srcclr test --pip
- Ruby Gems:
srcclr test --gem
- SBT:
srcclr test --sbt
- Trash:
srcclr test --trash
- Yarn:
srcclr test --yarn
- Nuget:
srcclr test --nuget
- Ant:
Results:
If the CLI installs successfully, you can view all the tests with a result of PASSED
.