A lot of customers ask about running SourceClear from within a Docker container on their build node. Here is how to do it. Customize this to suit your exact needs. Throughout the blog I assume that you've got a project named myproject.

The steps to follow are:

  • Build an Ubuntu based Docker image containing your project's source code
  • Run the Docker image, which downloads and installs the latest SourceClear agent
  • Starts a SourceClear scan on the project folder

Required Files

Add the two following files to the root of your project:


# Latest Ubuntu
FROM ubuntu

# Curl is required for grabbing the latest SourceClear Agent
RUN apt-get update
RUN apt-get install -y curl

# Mount the local folder for scanning purposes.
ADD . /src


This is just a simple script file to keep the command line looking neat and tidy when you execute the Docker container.


cd /src && curl -sSL https://download.sourceclear.com/ci.sh | sh

Make sure it's executable

> chmod 755 srcclr.sh

Setting up the environment

The Agent API Key

Create a new Jenkins agent from your SourceClear organization, create an API key and add it as an environmental variable:

export SRCCLR_API_TOKEN=<insert token here>

This will get passed to the Docker container at runtime.

Build the container

Building the Docker container does several things:

  • Downloads the base Docker image (Ubuntu)
  • Installs Curl
  • Mounts the root project folder into /src on the container

Now build the container (from the root of the project):

docker build . -t srcclr_scan_myproject

Execute the containerized scan

docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh

This will do several things:

-e SRCCLR_API_TOKEN will inject this environmental variable into the running container, along with its value. This supplies the SourceClear Agent with the required API key.

srcclr_scan_myproject tells docker to utilize the image we just built (which contains the latest source from myproject)

/src/scan/sh runs the scan script we created locally, which now resides in /src/ along with the project's source.

If you've set everything up, you should see output like:

$ docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh

SourceClear scanning engine ready
Running the Gem scanner
Scanning completed
Found 0 lines of code
Matching libraries against the SourceClear Registry...
Matching complete

Summary Report
Scan ID                              7295d188-2073-449a-9068-90ac6c08f44f
Scan Date & Time                     Oct 04 2017 08:49PM UTC
Account type                         ENTERPRISE
Scan engine                          2.10.37 (latest 2.10.37)
Analysis time                        5 seconds
User                                 root
Project                              /src
Package Manager(s)                   Gem

Open-Source Libraries
Total Libraries                      168
Direct Libraries                     57
Transitive Libraries                 120
Vulnerable Libraries                 2
Third Party Code                     100%

With Vulnerable Methods              0
High Risk Vulnerabilities            1
Medium Risk Vulnerabilities          5
Low Risk Vulnerabilities             0

Vulnerabilities - Public Data
CVE-2015-5147                        High Risk       Denial Of Service (DoS) And Stack-based Buffer Overflow      redcarpet 3.2.3

Vulnerabilities - Premium Data
NO-CVE                               Medium Risk     Heap-based Buffer Overflow Through Embedded C Dependency     nokogiri 1.8.0
NO-CVE                               Medium Risk     Denial Of Service (DoS) Through Memory Consumption           nokogiri 1.8.0
NO-CVE                               Medium Risk     Copy-Paste Vulnerability (CPV) Through Libxml2               nokogiri 1.8.0
NO-CVE                               Medium Risk     Copy-Paste Vulnerability (CPV) Through Libxml2               nokogiri 1.8.0
NO-CVE                               Medium Risk     Multiple Stack Overflows Through Embedded C Dependency       nokogiri 1.8.0

Unique Library Licenses              8
Libraries Using GPL                  2
Libraries With No License            14

Full Report Details                  https://myorg.sourceclear.io/teams/855C9Z5/scans/2489804

Mark Curphey, Vice President, Strategy Mark Curphey is the Vice President of Strategy at CA Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks. Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft. Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu