Skip to main content

Run an agent-based scan for Yarn

You can use agent-based scanning to scan Yarn projects but not Yarn workspaces. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript-yarn

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Yarn code. The scope directive requires Yarn-specific configurations.

Before you begin:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Yarn repository.
  • Have NPM 2.10.0 or later installed on the local path.
  • Include the yarn.lock file in the repository to scan.
  • Include the package.json file in the repository to scan, in the same directory as the yarn.lock file.
  • Have Yarn installed through NPM and located on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

node -e var fs= require('fs'); \
  var parse= require('../lib/lockfile/parse.js').default; \
  var contents= fs.readFileSync('/path/to/example-javascript-yarn/yarn.lock', 'utf8'); \
  console.log(JSON.stringify(parse(contents)));

To complete this task:

Run the scan command with the Veracode SCA CLI agent pointed to the directory of the Yarn repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument with the CLI agent.

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Last updated on