> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt) # soos-io/sca SOOS SCA Orb helps you scan your web manifests dependencies to find and fix vulnerabilities. ## Commands ### run-sca-analysis This command executes the SOOS SCA Analysis. | Parameter | Type | Default | Description | |---|---|---|---| | `api_base_url` | string | https://api.soos.io/api/ | URL of the api to be used, internal use only. | | `api_key` | env_var_name | SOOS_API_KEY | SOOS API Key | | `branch_name` | string | | Branch Name to create scan under | | `build_version` | string | | Version of application build artifacts. | | `client_id` | env_var_name | SOOS_CLIENT_ID | SOOS Client Id | | `directories_to_exclude` | string | | List of directories (comma separated) that you want to exclude from the scan, eg: node_modules. | | `files_to_exclude` | string | | List of files (comma separated) that you want to exclude from the scan, eg: package.json. | | `log_level` | string | INFO | Log level to show: DEBUG, INFO, WARN, FAIL, ERROR. | | `on_failure` | enum | continue_on_failure | Flag indicating whether or not to return an error code if errors are found in the SOOS script or SOOS analysis. | | `output_format` | string | | Output format for vulnerabilities: only the value SARIF is available at the moment | | `package_managers` | string | | List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.) | | `project_name` | string | | The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name. | | `sca_version` | string | latest | The SOOS SCA version to use - Internal Use Only | ## Jobs ### sca-analysis Run the SOOS security analysis | Parameter | Type | Default | Description | |---|---|---|---| | `api_base_url` | string | https://api.soos.io/api/ | URL of the api to be used, internal use only. | | `api_key` | env_var_name | SOOS_API_KEY | SOOS API Key | | `branch_name` | string | | Branch Name to create scan under | | `build_version` | string | | Version of application build artifacts. | | `client_id` | env_var_name | SOOS_CLIENT_ID | SOOS Client Id | | `directories_to_exclude` | string | | List of directories (comma separated) that you want to exclude from the scan, eg: node_modules. | | `files_to_exclude` | string | | List of files (comma separated) that you want to exclude from the scan, eg: package.json. | | `log_level` | string | INFO | Log level to show: DEBUG, INFO, WARN, FAIL, ERROR. | | `on_failure` | enum | continue_on_failure | | | `output_format` | string | | Output format for vulnerabilities: only the value SARIF is available at the moment | | `package_managers` | string | | List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.) | | `project_name` | string | | The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name. | | `sca_version` | string | latest | The SOOS SCA version to use - Internal Use Only | ## Executors ### default This is the Node executor used to run the script. | Parameter | Type | Default | Description | |---|---|---|---| | `tag` | string | 24.11.1 | Pick a specific circleci/node image variant: https://hub.docker.com/r/cimg/node/tags | ## Examples ### example Sample example description. ```yaml version: '2.1' orbs: : /@1.2.3 workflows: use-my-orb: jobs: - / ```