Veracode SCA

Veracode SCA

Category: SCA
License: Commercial
Visit Website →

Veracode SCA is an enterprise software composition analysis solution that identifies vulnerabilities in open-source dependencies and detects supply chain threats.

Enhanced by the 2024 acquisition of Phylum, the platform now includes advanced detection of malicious packages, typosquatting attacks, and dependency confusion before vulnerable code reaches production.

What is Veracode SCA?

Veracode SCA scans application dependencies to find known vulnerabilities and risky open-source components.

The solution integrates with the broader Veracode platform, allowing teams to correlate SCA findings with SAST and DAST results for comprehensive application security.

The Phylum acquisition significantly strengthened Veracode’s supply chain security capabilities.

Phylum’s technology analyzes package behavior, identifies malicious code patterns, and blocks compromised packages in real-time.

This proactive approach catches threats before CVEs are published, addressing the gap between exploit and disclosure.

Key Features

Supply Chain Attack Detection

Real-time monitoring for malicious packages entering the software supply chain.

The system detects:

  • Typosquatting (packages with names similar to popular libraries)
  • Dependency confusion (public packages mimicking internal names)
  • Compromised maintainer accounts
  • Malicious code injection in legitimate packages

Reachability Analysis

Not every vulnerable dependency creates exploitable risk.

Veracode SCA traces code paths to determine if vulnerable functions are actually called by your application.

This reachability analysis reduces noise and helps teams prioritize vulnerabilities that matter.

Malicious Package Blocking

Integrate with package managers to block malicious packages before installation.

The firewall capability prevents developers from accidentally introducing compromised dependencies during development or build processes.

Container Scanning

Scan container images for vulnerabilities in OS packages and application dependencies.

The scanner analyzes all layers of container images, identifying risks in base images and added components.

License Compliance

Comprehensive license detection with policy enforcement.

Define organizational rules for acceptable licenses, receive alerts on policy violations, and generate compliance reports.

The system handles complex scenarios including dual-licensing and license exceptions.

SBOM Generation

Create Software Bill of Materials in industry-standard formats (SPDX, CycloneDX).

Automated SBOM generation supports compliance with executive orders and emerging regulations requiring software transparency.

Installation

Veracode SCA integrates via the Veracode CLI, IDE plugins, and CI/CD integrations.

Veracode CLI

Install the Veracode CLI:

# macOS
brew install veracode-cli

# Linux
curl -LO https://tools.veracode.com/veracode-cli/install.sh
sh install.sh

# Windows (PowerShell)
irm https://tools.veracode.com/veracode-cli/install.ps1 | iex

Configure credentials:

veracode configure
# Enter API ID and Key from Veracode Platform

Or use environment variables:

export VERACODE_API_KEY_ID="your-api-id"
export VERACODE_API_KEY_SECRET="your-api-secret"

IDE Plugins

Available for:

  • Visual Studio Code (Veracode Greenlight)
  • IntelliJ IDEA
  • Visual Studio
  • Eclipse

How to Use Veracode SCA

Basic Scanning

Scan current directory:

veracode scan --type sca

Scan specific project:

veracode scan --type sca --source ./my-project

Agent-Based Scanning

For deeper analysis with reachability:

# Java
veracode sca scan --agent --coordinate com.example:my-app:1.0.0

# JavaScript
veracode sca scan --agent --npm

# Python
veracode sca scan --agent --pip

Container Scanning

# Scan local image
veracode container scan my-image:latest

# Scan from registry
veracode container scan registry.example.com/my-image:v1.0

Policy Configuration

Create a policy file veracode-policy.yaml:

sca:
  fail_on_severity: high
  fail_on_cvss: 7.0
  license_policy:
    deny:
      - GPL-3.0
      - AGPL-3.0
    require_review:
      - LGPL-2.1
      - MPL-2.0
  supply_chain:
    block_malicious: true
    block_typosquatting: true

Apply policy:

veracode scan --type sca --policy veracode-policy.yaml

SBOM Generation

# CycloneDX format
veracode sbom --format cyclonedx --output sbom.json

# SPDX format
veracode sbom --format spdx --output sbom.spdx.json

Integration

GitHub Actions

name: Veracode SCA
on: [push, pull_request]

jobs:
  sca-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup dependencies
        run: npm ci

      - name: Veracode SCA Scan
        uses: veracode/veracode-sca@v1
        with:
          api-key-id: ${{ secrets.VERACODE_API_ID }}
          api-key-secret: ${{ secrets.VERACODE_API_SECRET }}
          fail-on-severity: high

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: veracode-sbom.json

GitLab CI

veracode-sca:
  image: veracode/cli:latest
  script:
    - npm ci
    - veracode configure --api-id $VERACODE_API_ID --api-key $VERACODE_API_SECRET
    - veracode scan --type sca --fail-on-severity high
  artifacts:
    reports:
      dependency_scanning: veracode-results.json

Azure DevOps

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: '20.x'

  - script: npm ci
    displayName: 'Install dependencies'

  - task: Veracode@3
    inputs:
      ConnectionDetailsSelection: 'Service Connection'
      VeracodeService: 'Veracode Connection'
      scanType: 'SCA'
      failBuildOnPolicyFail: true

Jenkins Pipeline

pipeline {
    agent any
    environment {
        VERACODE_API_KEY_ID = credentials('veracode-api-id')
        VERACODE_API_KEY_SECRET = credentials('veracode-api-secret')
    }
    stages {
        stage('Install') {
            steps {
                sh 'npm ci'
            }
        }
        stage('Veracode SCA') {
            steps {
                sh '''
                    veracode configure --api-id $VERACODE_API_KEY_ID --api-key $VERACODE_API_KEY_SECRET
                    veracode scan --type sca
                '''
            }
        }
    }
    post {
        always {
            veracodeAnalysis applicationName: 'My App', scanType: 'SCA'
        }
    }
}

Package Registry Firewall

Block malicious packages at the registry level:

# Configure npm to use Veracode proxy
npm config set registry https://registry.veracode.com/npm

# Configure pip
pip config set global.index-url https://registry.veracode.com/pypi/simple

When to Use Veracode SCA

Veracode SCA works well for organizations that need:

  • Advanced supply chain attack protection with malicious package blocking
  • Reachability analysis to prioritize exploitable vulnerabilities
  • Integration with Veracode SAST and DAST for unified application security
  • Enterprise governance with policy enforcement and audit logging
  • Container security alongside application dependency scanning

The Phylum acquisition makes Veracode particularly strong for supply chain security.

Teams concerned about dependency confusion, typosquatting, and malicious maintainers benefit from the real-time threat intelligence.

Organizations already using Veracode for SAST gain natural synergy from adding SCA.

For those evaluating SCA independently, the supply chain security features and reachability analysis differentiate Veracode from basic vulnerability scanners.

Note: Enhanced with Phylum acquisition (2024) for advanced supply chain security.

Other SCA Tools

Arnica
Arnica

Pipelineless SCA with Package Reputation

Black Duck
Black Duck

SBOM & License Compliance

CAST Highlight
CAST Highlight

Chrome Extension, SBOM Export

Checkmarx SCA
Checkmarx SCA

Three-Pronged Analysis

See all SCA tools