Installing the SourceClear CLI Agent

SourceClear Software Composition Analysis

About this task

Note: By default, the agent you create is not visible to team members. To allow visibility, you must go to the agent page and select a team from the Teams menu. This selection allows members of the selected team to view the agent information.
To set up the SourceClear agent for your desktop, log in to SourceClear and perform the following steps:


  1. From the left sidebar, select the team for which you want to create the agent and select Agents > New Agent.
  2. In the agent setup page, select Command Line Interface.
  3. Open a terminal window from your desktop and copy one of the commands from the Choose install option section depending on your preferred method of installation:
    • cURL:
      curl -sSL | bash
    • apt-get:
      sudo apt-key adv --keyserver --recv-keys DF7DD7A50B746DD4
                              sudo add-apt-repository "deb stable/"
                              sudo apt-get update
                              sudo apt-get install srcclr
    • Add SourceClear's repository to your list of YUM repositories by creating a file /etc/yum.repos.d/SRCCLR.repo with the following contents:
       [SourceClear] name=SourceClear baseurl= 
       enabled=1 gpgcheck=1 gpgkey=
      Update and install:
      sudo yum update sudo yum install srcclr 
      Note: When you run this command for the first time, you are prompted to accept the GPG key.
    • Homebrew:
      brew tap srcclr/srcclr
                              brew install srcclr
    • Chocolatey:
      choco install srcclr
  4. Go back to the SourceClear installation page and copy the activation token under the srcclr activate command.
  5. Perform the following command from the agent server:
    srcclr activate
  6. Paste the token you copied into your terminal and press Enter.
    After entering your activation token, your agent.yml configuration file is installed to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace with which the token is associated.
  7. Verify your installation by running one of the following commands to check if you can scan that package manager:
    ## Ant
    srcclr test --ant
    ## Bower
    srcclr test --bower
    ## Cocoapods
    srcclr test --cocoapods
    ## Composer
    srcclr test --composer
    ## Glide
    srcclr test --glide
    ## Go Get
    srcclr test --go
    ## Godep
    srcclr test --godep
    ## Govendor
    srcclr test --govendor
    ## Gradle
    srcclr test --gradle
    ## Ivy
    srcclr test --ivy
    ## Maven
    srcclr test --maven
    ## NPM
    srcclr test --npm
    ## Python
    srcclr test --pip
    ## Ruby Gems
    srcclr test --gem
    ## SBT
    srcclr test --sbt
    ## Trash
    srcclr test --trash
    ## Yarn
    srcclr test --yarn
    ## Nuget
    srcclr test --nuget


If the CLI installs successfully, you can view all of the tests with a result of PASSED.