Run Portfolio-Level Code Scans in CI/CD Environments

by

A command line is a user interface that is navigated by typing commands at prompts, instead of using the mouse. In other words, a command line is a lightweight program that interacts with software through commands that you can script to automate tasks without any further human interaction. Once all set, it’s done and ready to be automated.

The concept of a scriptable command line is one of the pillars of DevOps and the benefit of automation has made tasks like cloud deployment, environment provisioning, database backup and software build more reliable and a huge time saver for developers. As many DevOps heads say, “throw away any piece of software you can’t run automatically.” Needless to say, command lines have now become a must-have in CAST Highlight to continuously scan code and build software analytics.

Get Fresh Analytics from Your Software, More Frequently

In the world of CAST Highlight, the command line is a Java/portable executable (jar) which is able to perform the same actions as the Local Agent: discover files and technology, scan code again for patterns, reference frameworks and libraries within your software, and even automatically (and optionally) upload results to the right application without having to go through each step in the UI.

This is a real game changer for users who want to measure and track progress on software health, cloud readiness and cybersecurity.

As we continue to add powerful code insights and analytics in the product, it creates the need for users to scan their apps at high pace. Who on earth would like to wait the next release of their application for knowing they use a weak and unsafe version of Apache Struts (besides Equifax)?! Conversely, who would scan an app daily or week when no significant commit has been done recently to the project? This is exactly what the command line is made for: providing you with fresh software analytics from your code on a daily, weekly or monthly basis with minimum operation effort.

Now it’s time to see how easy the command line can be used to make Highlight scans part of your CI pipeline.

How to Use CAST Highlight in CI/CD and Build Environments

As mentioned earlier, our command line is a JAR that can be integrated in a Jenkins job and an Ant task from Bamboo independently of your OS since Java is portable. For each application, configure your scan with a few options such as:

 

  • Source directory: the directory that contains source code of your application/project.
  • Exclusion patterns: in case you want to exclude specific sub-folders from the scan (e.g. test source, generated code or third-party components, etc.).
  • Technology filter: you can tell Highlight to focus on a specific technology only.
  • Result upload options: the required parameters (Highlight server, application and user IDs, etc.) if you want to automatically upload the scan results to the platform.


One of the great advantages of automatic upload is that you won’t have to manually create a scan campaign in Highlight. The application results will be automatically added, and you can specify a snapshot label which can include the application version, release and/or build number. This snapshot label will be displayed in the dashboard, so you’ll know which application results you’re looking at.

From here, you can add the Highlight scan as a step right after a nightly build or create a dedicated job that will weekly or monthly scan your master branch and update your Highlight dashboards.

What About SCMs?

You can also integrate the command line in your favorite source code management tool, but in that case you would have to define the branch of the project you want to scan through the API, copy/extract (clone for instance, if you’re using Git) the source on a machine, make sure this machine has the required Perl libraries and access to the Internet, then only run the command line. Scanning your application where it is built is the most efficient way to proceed. Note also that most build tools offer native integrations with SCMs like Git/Github, CVS, ClearCase, SourceSafe and others.

Filed in: DevOps
Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Listen to Infosys & CAST experts on “Smarter and Safer Application  Modernization”  21 November  Register for webinar
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Michael Muller
Michael Muller Product Owner Cloud-Based Software Analytics & Benchmarking at CAST
Michael Muller is a 15-year veteran in the software quality and measurement space. His areas of expertise include code quality, technical debt assessment, software quality remediation strategy, and application portfolio management. Michael manages the Appmarq product and benchmark database and is part of the CAST Research Labs analysis team that generates the industry-renowned CRASH reports.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|