Product Tutorials & Third-Party Tools

CAST Highlight now incorporates CISA’s KEV (Known Exploited Vulnerabilities) database to complement CVE information and help organizations prioritize vulnerability remediation efforts. See in this article how to access and use this new software intelligence.

CAST Highlight automatically calculates a lifespan status on open-source software (OSS) components. This status identifies whether a component is active, possibly deprecated, or immature. See in this article how the feature works and how to leverage this new SCA insight for more informed decisions.

By importing SBOMs in CycloneDX format, CAST Highlight can instantly analyze every component, check for known vulnerabilities, identify any licensing issues, and highlight any outdated components. It’s like having a super-powered microscope that can instantly see all the tiny details that you might miss, without even having to scan the source code or binaries. And that’s the interesting part of this SBOM importing capability. Let’s see how it works.

Software Composition Analysis (SCA) has become an essential part of modern software development, with a primary focus on analyzing and managing the risks associated with open-source software (OSS) components. However, the importance of proprietary components in software applications cannot be overlooked. These homegrown components are the backbone of many software systems and contribute significantly to a business as they are not open-source and publicly available, by definition. In this tutorial, we will explain the significance of governing proprietary components and how CAST Highlight’s SCA capabilities help you address this requirement.

CAST Highlight can perform a fine-grain comparison two snapshots of a scanned application and automatically identify which open-source software (OSS) components have been added, removed or upgraded. See in this article how the feature works and how it can help you better understand changes to the Open Source Safety scores over time.

When dealing with Open Source license compatibility, verifying legal term compatibility between third-party components and their respective dependencies could turn into a never-ending nightmare when done manually, increasing the legal risk of a license conflict. CAST Highlight allows users to define license compatibility rules between licenses and automatically detect and report possible license conflicts in […]

CAST Highlight automatically recommends quick and ideal component upgrade scenarios to remove vulnerabilities. See in this article how the Safe OSS Component Version Recommender feature works.

Now that CAST Highlight enables users to leverage license rulebooks for automatically building their license risk profiles , the default license risk profile in the product will follow this same model going forward. This change updates the accuracy of the default license risk template that comes out of the box with CAST Highlight to be more aligned with current open source licensing practices while still providing flexibility to fully customize the template for any scenario. As a result, some licenses may experience a change in risk levels which will impact some of the CAST Highlight scores related to open source license risk. However, it is possible to keep the current default license risk profile if desired. This change will be effective as of June 25, 2022. This post describes all of the details.

The recent security vulnerabilities reported in the Log4J and Spring4Shell open source components reminded us of an important reality — security is often a critical race from the time of a vulnerability disclosure to its remediation. CAST Highlight has added a new capability that automatically sends email notifications as soon as a new vulnerability impacting one of your applications is published, without having to re-scan them. This article explains how it works.

CAST Highlight now displays open source licenses terms, permissions, and constraints in a user-friendly manner: the license rulebooks. This article explains how to access this information from the dashboard to quickly understand the legal implications of OSS component licenses.

In CAST Highlight, you can manually or automatically create custom License Risk profiles that will specify the level of risk of licenses detected in the Open Source components your applications use. This article explains how to define a License Risk profile that can be automatically generated based on the license terms (rulebook).

We are very proud to present the Portfolio Advisor for Open Source which joins the growing family of Portfolio Advisors that have already been released for Cloud and Technical Debt. This capability automatically segments a portfolio of applications and identifies Open Source risk priorities for each application by combining unique Software Intelligence insights. Learn more about how the capability works in this article.

While it is important to ensure that your application is not exposed to known vulnerabilities from the National Vulnerability Database (NVD), a hacker could exploit software weaknesses that are not referenced yet in the NVD. CAST Highlight now identifies these security flaws on popular Open Source components as a result of CAST’s unique understanding of software structural quality. This article explains how it works and describes how to use this capability for making more informed decisions about Open Source risk.

In this post, we have compiled a few good practices to keep in mind when scanning a code base with CAST Highlight in order to let you consume the most consistent software analytics possible, depending on your use case (software health, open source detection for license compliance or vulnerability checks, etc.).

CAST Highlight scans your applications and automatically detects the third-party components in use along with consolidated metadata such as vulnerabilities (CVEs), licenses, version release date, etc. that may put your organization at risk. However, spotting a weak Open Source component while the application is already in production may be too late as the component is already integrated in your app, possibly for years. The challenge is to prevent the selection of a dangerous library at the earliest stage possible, well before it is referenced or implemented in your applications. This product post describes the new Component Catalog feature that allows users to search components and manage approved and unauthorized components across your portfolio.

Open Source Safety indicates the use of 3rd-party components that comply with security, license and age requirements.

CAST Highlight recently introduced new Software Composition Analysis (SCA) features that help users better manage, filter and tag detected Open Source components and related vulnerabilities across application portfolios. This article describes each of these features and how to use them to get the most accurate and actionable insights.

CAST consolidates a unique database made of 94M+ Open Source components and 9B+ file fingerprints. This article details the concept and steps in Highlight to automatically retrieve the true origin of your source code, whether it is for license compliance, vulnerability or obsolescence verification.

CAST has developed unique algorithms to mine and detect licenses from Open Source components to let you get a (more accurate) sense of IP and legal impacts your software is exposed to. Here is how it works.

Software Composition Analysis is often perceived as a complex discipline, especially when you consider all its aspects such as license compliance, security vulnerability and technology obsolescence. This is particularly true when your application has about 100 or 200 Open Source components and you start digging into their own dependencies to try spotting hidden risks. The mission of the new OSS Dependency Explorer in Highlight is to make this exercise as easy and interactive as possible by consolidating Software Intelligence in a very visual way. See how in this post.

Friends of your friends are not necessarily your friends. In this post, we’ll see why it is important to get visibility on dependencies of the Open Source components your apps are using and how to manage security and license information of these transitive dependencies in CAST Highlight’s Software Composition Analysis dashboards.

This article explains how Green Effort estimate is calculated and how to customize the effort profile.

CAST Highlight introduced a new indicator for estimating the green impact of a software application. This article explains how the Green Impact score is calculated in CAST Highlight.

In CAST Highlight’s June 2021 version, we updated the thresholds used for coloring Software Health indicators (green, orange and red) to reflect current values in the benchmark repository, which is now comprised of 12K representative applications.

In this post, we have compiled a few good practices to keep in mind when scanning a code base with CAST Highlight in order to let you consume the most consistent software analytics possible, depending on your use case (software health, open source detection for license compliance or vulnerability checks, etc.).

Definition Software Health indicates how your application complies with programming best practices that increase resiliency, improve agility and reduce complexity. Software Health score is the straight average of Software Resiliency, Software Agility and Software Elegance scores. Thresholds Thresholds used for Software Health categories: Low/Red: below 53.0 Medium/Orange: from 53.0 to 75.0 High/Green: above 75.0

Definition Software Resiliency indicates programming best practices that make software bullet-proof, more robust and secure. This index is derived from technology-specific code analysis which searches for the presence of code patterns and bad programming practices which may compromise the reliability of the software in the short term. Higher the Software Resiliency, lower is the likelihood [...]

Definition Software Agility indicates the easiness of a development team to understand and maintain an application. This index is derived from technology-specific code analysis which searches for the presence of embedded documentation and code readability good practices.   Thresholds Thresholds used for Software Agility categories: Low/Red: below 54.0 Medium/Orange: from 54.0 to 69.0 High/Green: above 69.0   Code Insights [...]

Definition Software Elegance measures the ability to deliver software value with less code complexity. A low Software Elegance score indicates decreased quality in the code resulting in higher defects which may become costly to fix in the mid-term.   Thresholds Thresholds used for Software Elegance categories: Low/Red: below 39.0 Medium/Orange: from 39.0 to 70.0 High/Green: above 70.0   Code Insights [...]

This article explains how to use the CAST Highlight feature that allows users to re-calculate the Software Health scores and sizing metrics of an application in real-time based on specific folder exclusions directly in the user interface.

Technical Debt is useful measure to analyze the health of an application portfolio and start prioritizing and quantifying remediation effort. We recently revisited and enhanced the Technical Debt calculation in CAST Highlight to increase estimate accuracy, to make it more flexible, and to deliver more actionable insights. Read this article to learn more about these enhancements, the impact on current results and the features it enables. This change will take effect on December 12, 2020.

We recently enhanced the Technical Debt calculation in CAST Highlight which has enabled new possibilities to visualize and analyze the Technical Debt of an application portfolio. One such scenario is automated prioritization of recommended remediation efforts using the new Portfolio Advisor for Technical Debt. This article explains how the Portfolio Advisor for Technical Debt works and how to use it to build informed action plans for tackling Technical Debt across an application portfolio.

The ROAR (Ranking of Application Risks) index is a composite metric that takes into account the three main Highlight software health factors (Software Resiliency, Software Agility and Software Elegance) with a weighted average formula, balanced with the Business Impact of the application. And that’s probably the most important part of the formula here, since it mixes both technical […]

Definition Based on COCOMO II (Constructive Cost Model - Post Architecture), the Software Maintenance Effort calculated by Highlight estimates the ideal level of effort in order to maintain an application in good operational conditions, expressed in FTE (Full-Time Equivalent). This indicator is derived both from the Software Maintenance survey and the software quality analysis which are [...]

Definition Back-Fired Function Points (BFP) estimate the number of function points of an application. This code-derived metric is based on the lines of code, weighted by an abacus for a given technology. The abacus is taken from QSM (Quantitative Software Management).   Example An application is composed of 3 different technologies: Java (100K lines of code) PL/SQL […]

The "Application Trends" feature (also known as delta analysis) dramatically increases the value of using Highlight in an Agile context. In a nutshell, Highlight now computes software health scores and metrics of scanned source files based on their status, whether they have been added or modified during the last iteration. This post will explain how [...]

Sometimes, this question is raised by new users: how CAST Highlight counts lines of code compared to classic static code analysis tools and how to explain possible differences. While there is no truer or better methodology than another for counting lines of code, the most important in order to get consistent results is to use […]

Containerization has become increasingly popular in modern applications, with Docker images providing a lightweight and portable way of packaging and deploying software. However, scanning source code of custom applications is not enough to guarantee the security of a containerized application. CAST Highlight has developed a new capability that allows users to scan the contents of a Docker image to identify potential risks and vulnerabilities. See how the capability works.

To simplify use of the CAST Highlight command line and scale code scan deployments across CI/CD pipelines, you can use the .properties files. This tutorial explains how.

CAST Highlight’s API is now used extensively across our user base for various scenarios such as building custom reports or integrating our insights into third-party products (e.g., MEGA, Alphabet, Azure DevOps, and Atlassian JIRA to name a few). Hence, there was a need for a more secure and flexible way to manage user access. This article describes how to create, manage, and use OAuth2 tokens to work with the CAST Highlight API or the command line interface (CLI).

As you may know, we recently published on Docker Hub an image that you can run as a container which includes everything you need to scan your application with CAST Highlight’s analyzers without having to worry about the libraries you need to install, the compatibility of your OS, etc. One of the big advantages of Docker is that it’s now available from almost all popular CI/CD tools such as Jenkins, Bamboo, Azure DevOps, etc. In this tutorial, you’ll learn how to use our Docker image from Azure DevOps.

This post explains how to easily import or export a list of users, domains and applications in bulk from an Excel file with CAST Highlight, without any API skills required.

The concept of a scriptable command line is one of the pillars of Devops and the benefit of automation has made tasks like Cloud deployment, environment provisioning, database backup and software build more reliable and a huge time saver for developers. As many Devops heads say “throw away any piece of software you couldn’t run automatically”. Needless to say that a command line has now become a must-have in Highlight to continuously scan code and build software analytics.

The recent product release of CAST Highlight introduces our public API to let you share unprecedented Software Analytics and code-level health metrics with the rest of your technology ecosystem as well as automate actions on our platform. In this article we’ll review the API and what kind of new consumption usages it enables for Highlight [...]

In this tutorial post, we’ll see how to use CAST Highlight’s API to import external metrics and automatically consolidate a custom indicator. With a few steps and basic scripting skills, you’ll be able to create a custom indicator based on the ratio between the number of open bugs in JIRA vs. the number of total issues. This is just an example to illustrate how you could combine Highlight’s Software Intelligence analytics with any result from other products in order to get an evermore comprehensive view on your application portfolio.

As the Highlight command line is a real hit across users who want to automate the scan of their code bases, we thought it could be helpful to provide a series of templates and code samples for the different build tools where you would integrate our code scans. The script below illustrates how to integrate the command line within a Jenkins pipeline.

Let’s in this article how to clone a repository from Github and run Highlight’s analyzers from Apache Ant, and upload scan results to the portal and quickly get unprecedented software Analytics.

In this product tutorial, we’ll see how to configure and take advantage of the Keyword Scan feature to support a GDPR assessment of your application portfolio. The feature can be used to search for any kind of keywords (API secret token or passwords in clear text for instance) but really makes sense in a GDPR initiative. Does your codebase manipulate PII data? You’ll get some hints very soon with CAST Highlight.

As you probably already know, Oracle announced a major change of their release and support rules for Java. This article is not meant to explain how that’s going to work now, but long story short you’ll have to either a) update your JDK very fast; b) be exposed to unpatched (and perhaps vulnerable) Java versions […]

The CAST Highlight product team is always striving to make the user experience seamless and productive. Today, we’re excited to announce the launch of a new capability that will deeply impact the way you interact with the product: the AI Advisor. See in this article how to set it up and use it.

CAST Highlight enables you to define the content of your home page by adding widgets that display the insights that matter the most to you. Learn how to use the feature in this article.

Managing an application portfolio is like leading a 🏀 basketball team. Just like a coach needs to carefully balance their team’s offense and defense to win games (and hopefully the playoffs), a technology leader needs to manage their application portfolio to ensure applications are performing at their best. Our new capability, the Portfolio Advisor for Software Maintenance, acts like a coach’s playbook, helping you identify which areas of your team need attention and which applications are performing well. See how the feature works.

Are you tired of feeling lost in a maze when it comes to governing your application portfolio? Like a person wandering through a labyrinth, you navigate through complex systems without a clear sense of direction or progress. You have a general idea of where you want to go, but you lack a tangible roadmap and a way to measure your progress. CAST Highlight’s new capability, the Continuous Improvement Tracker, creates a clear path through your portfolio governance journey. Learn how the capability works in this article.

Understand the present of your applications by looking through the lens of the past. CAST Highlight now allows users to compare key metrics and KPIs between different analysis snapshots of a scanned application. See how to use the feature in this article.

CAST Highlight’s product team has entirely revisited the Portfolio Management screen to increase performance and allow portfolio managers to do more faster. This article explains how the new screen works.

CAST Highlight enables you to easily search, filter and delete application snapshots across your application portfolio. See how the feature works in this article.

CAST Highlight now allows you to add comments about application results, organized by insight category (Cloud readiness, score and size trends, Open Source risks, etc.) with the application-level discussion thread feature. Learn in this article how to use this new product capability.

Similar to the recent Portfolio Advisors for Cloud and Open Source, this capability allows portfolio managers to create their own custom portfolio segmentations based on a combination of Software Intelligence insights available in CAST Highlight. This article describes how it works and how to use this capability.

Github Actions are workflows that you can use on your repositories based on specific triggers. This is the perfect place to run CAST Highlight scans in an automated fashion. This article explains how to get a CAST Highlight action from Github Action marketplace and customize it to your needs.

Some of our clients use CAST Highlight to analyze their applications and generate Software Intelligence insights on a weekly or daily basis. Over time, this generates a significant amount of data available in the CAST Highlight portal. In order to improve clarity in results and maintain an optimized user experience, CAST Highlight has implemented a scan retention policy. This article explains the retention policy and how to preview application snapshot changes in your portfolio, if the policy is applicable.

As a Portfolio Manager of CAST Highlight, you may need to know and understand the different actions which occurred in the portfolio. The Audit Logs feature allows you to list main user events such as application creation, change in the User Token configuration, etc. See in this article how this feature works.

Technical Debt is useful measure to analyze the health of an application portfolio and start prioritizing and quantifying remediation effort. We recently revisited and enhanced the Technical Debt calculation in CAST Highlight to increase estimate accuracy, to make it more flexible, and to deliver more actionable insights. Read this article to learn more about these enhancements, the impact on current results and the features it enables. This change will take effect on December 12, 2020.

CAST Highlight allows you to consolidate Software Intelligence analytics at the portfolio level, in a lightning-fast manner thanks to a simple workflow. However, onboarding hundreds of apps in a few days may require a bit of preparation to ensure your campaigns will be well-architected and optimized for future iterations. This article details the key criteria you should consider, the common pitfalls to avoid, and best practices to implement before starting.

As you may know, we recently published on Docker Hub an image that you can run as a container which includes everything you need to scan your application with CAST Highlight’s analyzers without having to worry about the libraries you need to install, the compatibility of your OS, etc. One of the big advantages of Docker is that it’s now available from almost all popular CI/CD tools such as Jenkins, Bamboo, Azure DevOps, etc. In this tutorial, you’ll learn how to use our Docker image from Azure DevOps.

Unless you clearly understand the boundaries and technical interactions of each of your applications across your entire portfolio, it is a real challenge to consolidate the various software links, especially when you have hundreds or even thousands of apps. However, anticipating and estimating the impact of a change in the application landscape is key, whatever the use case you’re currently handling (Cloud migration / application modernization, portfolio rationalization, etc.).

In case you missed it, the CAST Highlight last release notes announced many great new capabilities. We’re proud and excited to include Software Composition Analysis (SCA) as a compelling new feature, which brings a new angle to our Application Portfolio Analysis foundation. In addition to SCA, this release includes another game-changing capability – custom indicators. This blog will cover how to implement and use this great new feature.

CAST Highlight comes with a series of dashboards that combine Software Intelligence analytics to help you better manage your application portfolio and make informed decisions. While application portfolio rationalization, software health monitoring, Cloud readiness assessment, and Open Source risk management are typical use cases that are supported through our set of out-of-the-box data visualizations, some advanced users may want to extend the product boundaries and analyze their application portfolio using unique dimensions. This article describes the Custom Dashboards feature.

In this tutorial post, we’ll see how to use CAST Highlight’s API to import external metrics and automatically consolidate a custom indicator. With a few steps and basic scripting skills, you’ll be able to create a custom indicator based on the ratio between the number of open bugs in JIRA vs. the number of total issues. This is just an example to illustrate how you could combine Highlight’s Software Intelligence analytics with any result from other products in order to get an evermore comprehensive view on your application portfolio.

CAST Highlight dashboards are available in different languages. This article shows how localization is managed and how to switch from a language to another.

Tags are a very powerful complement to domains and other filters (technologies, survey questions, etc.) as they provide an extra layer of flexibility to organize and visualize your portfolio. This article explains how to create and manage them to filter, segment and organize your application portfolio in CAST Highlight