Run Highlight code scans into your CI/CD environments
What is a command line?
As computerhope.com defines “Sometimes referred to as the command screen or a text interface, the command line or Windows command line is a user interface that is navigated by typing commands at prompts, instead of using the mouse.” In other words, a command line is a lightweight program that interacts with software through commands that you can script to automate tasks without any further human interaction. Once all set, it’s done and ready to be automated.
The concept of a scriptable command line is one of the pillars of Devops and the benefit of automation has made tasks like Cloud deployment, environment provisioning, database backup and software build more reliable and a huge time saver for developers. As many Devops heads say “throw away any piece of software you couldn’t run automatically“. Needless to say that a command line has now become a must-have in Highlight to continuously scan code and build software analytics.
Get fresh analytics from your software, more frequently
In the world of CAST Highlight, the command line is a Java/portable executable (jar) which is able to perform the same actions as the the Local Agent: discover files and technology, scan code again our patterns, reference frameworks and libraries within your software, and even automatically (and optionally) upload results to the right application, without having to go through each step in the UI.
This is a real game changer for users who want to measure and track progress on software health, cloud readiness and cybersecurity. See how Highlight can detect thousands of vulnerabilities, (also known as CVEs) along their builds, sprints, releases…
As we continue to add powerful code insights and analytics in the product, it creates the need for users to scan their apps at high pace. Who on earth would like to wait the next release of their application for knowing they use a weak and unsafe version of Apache Struts (except Equifax I mean…)?! Conversely, who would be ready to spend time to scan an app every single day or week when no significant commit has been done recently to the project? This is exactly what the command line is made for: providing you with fresh software analytics from your code on a daily, weekly or monthly basis with a minimum operation effort. It’s even more true as the command line can be executed in parallel and can scan multiple applications at the same time.
Now it’s time to see how easy the command line can be used to make Highlight scans part of your CI pipeline.
How to use it in my CI/CD or build environment?
As mentioned earlier, our command line is a JAR that can be integrated in a Jenkins job and a Ant task, from Bamboo … independently of your OS since Java is portable. For each application, configure your scan with a few options such as:
Source directory: the directory that contains source code of your application/project.
Exclusion patterns: in case you want to exclude specific sub-folders from the scan (e.g. test source, generated code or third-party components, etc.).
Technology filter: you can tell Highlight to focus on a specific technology only.
Result upload options: the required parameters (Highlight server, application and user IDs, etc.) if you want to automatically upload the scan results to the platform.
One of the great advantages of automatic upload is that you won’t have to manually create a scan campaign in Highlight. The application results will be automatically added and you can specify a snapshot label which can include the application version, release and/or build number. This snapshot label will be displayed in the dashboard so you’ll know which application results you’re looking at.
That’s all folks! This page will give you the detail of the different options available with some real examples depending on what you want to do (e.g. a simple scan, scan and upload, etc.). From here, you can add the Highlight scan as a step right after a nightly build or create a dedicated job that will weekly or monthly scan your master branch and update your Highlight dashboards.
And what about SCMs?
You could also integrate the command line in your favorite source code management tool, but in that case you would have to define the branch of the project you want to scan through the API, copy/extract (clone for instance, if you’re using Git) the source on a machine, make sure this machine has the required Perl libraries and access to the Internet, then only run the command line… while everything is already there on your build machine. Not saying it’s impossible but, indeed, scanning your application where it is built is the most efficient way to proceed. Note also that most of build tools offers native integrations with SCMs like Git/Github, CVS, ClearCase, SourceSafe, etc.