Sourceclear’s Agent supports scans that include per-scan directives (known as scan directives). These can be specified on a per-project basis by placing a srcclr.yml file at the root of the scan.
Below is a list of the supported scan directives for use in a srcclr.yml.
By default, SourceClear agents find all supported build tools and package managers in the directory specified by the scan command (or the current directory for CI scans). Using scan_collectors, it’s possible to specify which build tools/package managers to use. The possible values for scan_collectors are:
- "go get"
scan_collectors: gem, maven
By default, SourceClear agents find all supported build tools and package managers in the directory specified by the scan command (or the current directory for CI scans). Using skip_collectors, it’s possible to control which build tools/package managers to skip when running a scan. The possible values for skip_collectors are:
- "go get"
skip_collectors: npm, bower
A comma-separated list of directories which should be ignored in vulnerable methods analysis. Allows the defaults to be overriden.
A comma-separated list of directories which adds to the default per-language set ignored by vulnerable methods analysis.
vuln_methods_extra_ignored_directories: doc, test
The defaults are:
- Ruby: test
- Java: test
- Python: test, tests, doc, docs, bin, .virtualenv, env, venv
Multi-Language Directives Scope
Ruby, Java, NPM, Yarn, Bower, PHP
When specified, the ‘scope’ directive will limit the dependency resolution (and therefore, the discovered dependencies) to those within the specified scope. It will also include any scope that the specified scope inherits from (if supported by the build system). This will apply the same scope to any package manager used in the project.
For PHP the only accepted scope is --no-dev which will only install production packages.
# Java example scope: testCompile # Prevent scanning 'devDependencies' for an NPM project scope: production
Boolean value which forces SourceClear agent to perform a compilation prior to scanning. Defaults to true.
Boolean value which forces SourceClear agent to perform a compilation and installation prior to scanning. Defaults to true.
String attribute with which the SourceClear agent will utilize the supplied mvn options instead of compile and install which are the defaults. This command must take the form of a single String object.
custom_maven_command: clean compile
String attribute which specifies the full path to a custom maven executable to use. Defaults to using the maven executable on the PATH of whatever environment the scan is being performed in.
String attribute which specifies the full path to a custom gradle executable to use. Defaults to using the gradle executable on the PATH of whatever environment the scan is being performed in or a gradlew file in the directory being scanned if it exists.
String attribute which specifies the full path to a custom ant executable to use. Defaults to using the ant executable on the PATH of whatever environment the scan is being performed in.
String attribute with custom Ant build steps to run before scanning.
ant_build_steps: clean compile
By default, SourceClear uses ivysettings.xml file found in the root folder. You may use this directive to specify another Ivy Settings file to use.
Comma-separated relative (to scan project root) directory paths.
ant_lib_dir: lib/, main/jarfiles/
This directives supports setups where the gradlew file may not exist at the root of a Gradle project. This should be a relative path, and include the gradlew filename at the end.
By default the ‘classes’ task is used when performing Gradle scans. This allows for complete dependency resolution and generation of class files while not going far enough in the build to execute unit and integrations tests. If you have a custom task that should be run instead it can be placed here. This is a space separated list of tasks to execute.
gradle_tasks: clean compile
This allows the user to dynamically pin scans to only certain sub-modules, based on whether that sub-module contains the specified task. In the example below, the scan would be limited to sub-modules containing the classes task.
Boolean attribute that forces the SourceClear agent to perform a ‘bundle install’ even when a Gemfile.lock already exists. Defaults to false.
This option maps to a boolean which indicates whether the Python virtualenv image with which we scan for pip dependency information should include the system site packages. The default value for this is false.
This option maps to a boolean which indicates whether the SourceClear Agent should use the pip package that is found on the machine instead of the bundled version of pip. The default value for this is false.
The attribute value associated with this key is a file that indicates an alternative location to find the PIP requirements file for a particular project. If this is not specified, we assume that we should look for requirements.txt, dev-requirements.txt, or requirements-dev.txt in the root of the project.
By default Bower doesn’t permit the root user to perform installation tasks. While this is for security reasons, many Docker setups use the root user. Using this directive and setting it to true will instruct Bower to use the --allow-root flag.
Boolean value which forces SourceClear agent to download the Go dependencies used by the project before scanning for them.
Boolean value which can be used to stop SourceClear re-installing composer packages. If this is used, the composer.lock file MUST be present in the repository already.