Skip to main content

Set up the agent-based scanning Gradle plugin

The Veracode Software Composition Analysis agent-based scanning Gradle plugin allows you to automate the scanning of your Gradle repositories. You can upload the results of plugin scans to the Veracode Platform.

Before you begin:

If you do not have the latest version of the plugin, search for SourceClear in the Gradle plugin portal and follow the onscreen instructions.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Click the Agent-Based Scan tab.

  3. Select a workspace.

  4. Click Agents > Actions > Create > Gradle.

  5. Click Create Agent & Generate Token.

  6. Choose to either set your API token as an environment variable in the environment where you will build your Gradle repository, or add the token directly to the configuration within your build.gradle file:

    • Run this command to set your environment variable:

      export SRCCLR_API_TOKEN={apiToken}

    • Add this code to your build.gradle file:

                  //For Gradle 2.2.0 or higher
                                  ...

                                  plugins {
                                  id "com.srcclr.gradle" version "{Insert latest version}"
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }
                              
                  //For Gradle before 2.2.0
                                  //Add gradle plugin location
                                  buildscript {
                                  repositories {
                                  maven {
                                  url "https://plugins.gradle.org/m2/"
                                  }
                                  }
                                  }
                                  //Add 'classpath("com.srcclr:gradle:{insert version number}")'  to your dependencies

                                  buildscript {
                                  ...
                                  dependencies {
                                  classpath "gradle.plugin.com.srcclr:gradle:<insert version number>"
                                  }
                                  }

                                  apply plugin: "srcclr"

                                  srcclr {
                                  apiToken = "{apiToken}" //Only required if environment variable is not set
                                  }
      note

      For multi-project Gradle builds, Veracode recommends you apply these changes only to the root build.gradle file to avoid potentially overriding scan results from the different projects. Do not apply the plugin in the allprojects or subprojects section of the build file.

  7. Optionally, add additional configuration options.

  8. Save the build.gradle file.

    You can run the agent-based scanning plugin during your build by adding the srcclr argument to the gradlew command.

  9. To perform dependency resolution and build class files, which are the minimum requirements for vulnerable method analysis, run this command:

    ./gradlew srcclr

  10. For larger builds, you can run this command:

    ./gradlew clean build srcclr