Veracode SCA Best Practices for Automated CI/CD

Getting Started with Veracode

Veracode recommends that you follow these best practices to effectively implement Veracode Software Composition Analysis in your automated CI/CD projects.

Use the appropriate type of agent for your workflow
If you want to create a standardized pipeline configuration that applies to multiple workspaces, activate an organization agent. If your development team primarily works in a single workspace, activate a workspace agent. See About Veracode SCA Agent Management.
Select the appropriate default branch for your projects
The default branch for a project determines the data that displays in the Veracode Platform, the data that Veracode adds to linked applications, and the branch in which Veracode automatically creates issues for newly released vulnerabilities.
Link your projects to an application profile
You can link the projects you create for Veracode Software Composition Analysis agent-based scans to your Veracode Platform application profiles to enable a unified view of your results for all Veracode scans. You must perform an upload scan to allow Veracode to evaluate the policy status of third-party libraries included in an application profile through a linked project.
Prioritize addressing vulnerable methods
Projects that use a vulnerable method are calling the specific piece of code that causes a library to be vulnerable, which makes the project particularly vulnerable to attack.
Search the Veracode Vulnerability Database before using a library
The Veracode Vulnerability Database provides extensive details of the security impact of including open-source libraries in your code.
Use the REST APIs to view scan results
To access immediate, high-level finding details about your agent-based scan workspaces, use the SCA Agent REST API. For more detailed information about your Veracode SCA findings, link your project to an application profile and use the Findings REST API.
Use agent-based scans with Pipeline Scan
Pipeline Scan provides fast feedback on findings introduced on new commits to first-party code. Like Veracode SCA agent-based scans, Pipeline Scan directly embeds into team development pipelines.
Use fewer than 100 projects in a single workspace
There is no limit to the number of projects in a workspace, but Veracode recommends using fewer than 100 to avoid causing performance delays. You can create new workspaces with the SCA Agent REST API or in the Veracode Platform.
Troubleshoot scan issues from the command line
If you encounter errors with the Veracode Software Composition Analysis agent in your pipeline, you can troubleshoot by scanning locally in your command-line interface. To save time in troubleshooting, include the --quick parameter in the scan command.