Product Tutorials & Third-Party Tools

CURRENT VERSION

For best experience and most accurate Software Intelligence insights, make sure you’re using the latest released version prior to scanning your application with the Local Agent or the Command Line.

This page lists content and tools that will help you run and leverage CAST Highlight in the best conditions possible. For uncovered topics, don’t hesitate to read our product FAQ or contact our support team.

Must-see resources to get you started

Getting Started Guide

In this documentation, you’ll find all the necessary information that will drive your first steps on the Highlight platform: how to create an application or invite users, how to scan source code, supported technologies, etc.

Highlight Indicators & Methodology

In this slide presentation, you’ll find all the necessary information to understand how Highlight analytics and code insights are built, what they mean and how to interpret them, with concrete examples by technology stack.

Keyword Scanner Guide
This document explains how to use the Keyword Scan feature, the different use cases such as GDPR and how to leverage scan results at both application and portfolio levels.
Custom Indicator Guide
Everything you need to know to create, administrate and consume the custom indicators in CAST Highlight.

Resources by Feature

Good practices when defining the scope of a code scan

In this post, we have compiled a few good practices to keep in mind when scanning a code base with CAST Highlight in order to let you consume the most consistent software analytics possible, depending on your use case (software health, open source detection for license compliance or vulnerability checks, etc.).

Software Resiliency

Definition Software Resiliency indicates programming best practices that make software bullet-proof, more robust and secure. This index is derived through technology-specific code analysis that searches for the presence of code patterns and bad programming practices that may comprise the reliability of the software at short term. Higher is the Software Resiliency, lower is the likelihood [...]

Software Agility

Definition Software Agility indicates the easiness of a development team to understand and maintain an application. This index is derived through technology-specific code analysis that searches for the presence of embedded documentation and code readability good practices.   Thresholds Thresholds used for Software Agility categories: High (green): value > 71.0 Medium (orange): value >= 56.0 Low [...]

Software Elegance

Definition Software Elegance measures the ability to deliver software value with less code complexity. A low Software Elegance score indicates decreased quality in the code resulting in higher defects that become costly to fix at mid-term.   Thresholds Thresholds used for Software Elegance categories: High (green): value > 78.0 Medium (orange): value >= 55.0 Low (red): [...]

ROAR Index

The ROAR (Ranking of Application Risks) index is a composite metric that takes into account the three main Highlight software health factors (Software Resiliency, Software Agility and Software Elegance) with a weighted average formula, balanced with the Business Impact of the application. And that’s probably the most important part of the formula here, since it mixes both technical […]

Software Maintenance Estimates

Definition Based on COCOMO II (Constructive Cost Model - Post Architecture), the Software Maintenance Effort calculated by Highlight estimates the ideal level of effort in order to maintain an application in good operational conditions, expressed in FTE (Full-Time Equivalent). This indicator is derived both from the Software Maintenance survey and the software quality analysis which are [...]

Backfired Function Points

Definition Back-Fired Function Points (BFP) estimate the number of function points of an application. This code-derived metric is based on the lines of code, weighted by an abacus for a given technology. The abacus is taken from QSM (Quantitative Software Management).   Example An application is composed of 3 different technologies: Java (100K lines of code) PL/SQL […]

Technical Debt estimates and stats by technology

As detailed in the Indicator & Methodology deck, CAST Highlight leverages software quality measures and statistics provided by the application benchmarking solution CAST Appmarq to estimate the amount and density of technical debt that your application code base may have accumulated across iterations. The table below lists the technical debt statistics per line of code […]

How to estimate size and health of high frequency code iterations using the delta analysis feature

The "Application Trends" feature (also known as delta analysis) dramatically increases the value of using Highlight in an Agile context. In a nutshell, Highlight now computes software health scores and metrics of scanned source files based on their status, whether they have been added or modified during the last iteration. This post will explain how [...]

What is a line of code and how Highlight counts them

Sometimes, this question is raised by new users: how CAST Highlight counts lines of code compared to classic static code analysis tools and how to explain possible differences. While there is no truer or better methodology than another for counting lines of code, the most important in order to get consistent results is to use […]

Good practices when defining the scope of a code scan

In this post, we have compiled a few good practices to keep in mind when scanning a code base with CAST Highlight in order to let you consume the most consistent software analytics possible, depending on your use case (software health, open source detection for license compliance or vulnerability checks, etc.).

Software Composition in Highlight: How Open Source component detection works

CAST consolidates a unique database made of 44M+ Open Source components and 5B+ file fingerprints. This article details the concept and steps in Highlight to automatically retrieve the true origin of your source code, whether it is for license compliance, vulnerability or obsolescence verification.

How OSS licenses are mined and detected in Highlight’s Software Composition Analysis feature

CAST has developed unique algorithms to mine and detect licenses from Open Source components to let you get a (more accurate) sense of IP and legal impacts your software is exposed to. Here is how it works.

Explore your OSS dependencies. Visually!

Software Composition Analysis is often perceived as a complex discipline, especially when you consider all its aspects such as license compliance, security vulnerability and technology obsolescence. This is particularly true when your application has about 100 or 200 Open Source components and you start digging into their own dependencies to try spotting hidden risks. The mission of the new OSS Dependency Explorer in Highlight is to make this exercise as easy and interactive as possible by consolidating Software Intelligence in a very visual way. See how in this post.

Transitive Dependencies: How much can you trust friends of your friends?

Friends of your friends are not necessarily your friends. In this post, we’ll see why it is important to get visibility on dependencies of the Open Source components your apps are using and how to manage security and license information of these transitive dependencies in CAST Highlight’s Software Composition Analysis dashboards.

CAST Highlight’s Docker Image for Code Scans

This page details how to use our official Docker image that includes everything you need to scan your source code with CAST Highlight and makes easier and smoothier the integration within your CI/CD environments.

Run Highlight code scans into your CI/CD environments

The concept of a scriptable command line is one of the pillars of Devops and the benefit of automation has made tasks like Cloud deployment, environment provisioning, database backup and software build more reliable and a huge time saver for developers. As many Devops heads say “throw away any piece of software you couldn’t run automatically”. Needless to say that a command line has now become a must-have in Highlight to continuously scan code and build software analytics.

Highlight integrates into your ecosystem using our public API

The recent product release of CAST Highlight introduces our public API to let you share unprecedented Software Analytics and code-level health metrics with the rest of your technology ecosystem as well as automate actions on our platform. In this article we’ll review the API and what kind of new consumption usages it enables for Highlight [...]

Tutorial: How to build custom indicators using JIRA metrics and Highlight’s API

In this tutorial post, we’ll see how to use CAST Highlight’s API to import external metrics and automatically consolidate a custom indicator. With a few steps and basic scripting skills, you’ll be able to create a custom indicator based on the ratio between the number of open bugs in JIRA vs. the number of total issues. This is just an example to illustrate how you could combine Highlight’s Software Intelligence analytics with any result from other products in order to get an evermore comprehensive view on your application portfolio.

How to integrate Highlight’s Command Line in a Jenkins Pipeline

As the Highlight command line is a real hit across users who want to automate the scan of their code bases, we thought it could be helpful to provide a series of templates and code samples for the different build tools where you would integrate our code scans. The script below illustrates how to integrate the command line within a Jenkins pipeline.

How to run the Highlight Command Line from Apache Ant

Let’s in this article how to clone a repository from Github and run Highlight’s analyzers from Apache Ant, and upload scan results to the portal and quickly get unprecedented software Analytics.

Most Inhibitors to App Cloud Migration are Pure Software Engineering Issues

Most of the technical roadblocks you could encounter during a Cloud migration of an on-premise and monolithic application are purely platform-agnostic and take on a poor level of software abstraction.

The Cloud Virtuous Circle: When Infra Savings Finance the App Value

The cost reduction enabled by IaaS and the containerization of 80% of the application portfolio will finance the PaaS migration effort of the other 20%. These core apps that will dramatically increase the business value of your systems.

CloudReady Pattern Definitions

Cloud Requirements User AuthenticationPersistent FilesApplication Settings ConfigurationRegistry SettingsAccess Control ListCode ExecutionData Encryption KeysExecution EnvironmentSensitive Data Storage ProtectionServices & Scheduled TasksShared CachingThird-Party External Dependencies .vc_custom_1419240516480{background-color: #f9f9f9 !important;} Digital Transformation or IT Rationalization: Why Application Cloud Migration Should Have a Balanced StrategyThe intrinsic benefits of cloud have been touted on countless occasions. The question is no longer [...]

Place the Application Landscape at the Core of your Cloud Adoption Strategy

Like for any strategy building process, you’ll need to constitute a comprehensive, fact-based and systematic evaluation of your application landscape in order to know whether each application is a better candidate for IaaS, PaaS, SaaS or to eventually decide which application won’t be part of your future application landscape.

How to establish a Business-Centric PaaS migration roadmap

Once you identified the set of applications you’ll modernize to make them use Cloud-native services, it is important to plan and coordinate this transformation over time. Depending on their business, economic and technical KPIs, and since moving your applications to PaaS means significant effort and organizational changes, four Cloud migration categories can be established.

Please… launch new projects as PaaS / Cloud-native

Starting any new project relying on PaaS by nature is an absolute no brainer and should be the rule, in order to build Cloud-native services, and progressively transform the application landscape by decreasing the proportion of on-premises systems. That said, there are some key items to consider in order to maximize the modernization acceleration effect of legacy applications.

Take the Full Advantage of Cloud Cost Reduction with Containerization as a Service

Today, many IT departments think they’re done with the Cloud journey since they achieved the “lift & shift” of their applications to IaaS. Of course, they succeeded in virtualizing their infrastructure by making applications run on VMs, which significantly reduce on-premises infrastructure cost and effort. However, stopping the Cloud journey here could be very limiting.

How to configure a Keyword Scan for GDPR (or anything else)

In this product tutorial, we'll see how to configure and take advantage of the Keyword Scan feature to support a GPDR assessment of your application portfolio. The feature can be used to search for any kind of keywords (API secret token or passwords in clear text for instance) but really makes sense in a GPDR [...]

How to detect apps using Oracle’s JDK 1.8 (and others) at the portfolio level

As you probably already know, Oracle announced a major change of their release and support rules for Java. This article is not meant to explain how that’s going to work now, but long story short you’ll have to either a) update your JDK very fast; b) be exposed to unpatched (and perhaps vulnerable) Java versions […]

Feature Focus on Application Links

Unless you clearly understand the boundaries and technical interactions of each of your applications across your entire portfolio, it is a real challenge to consolidate the various software links, especially when you have hundreds or even thousands of apps. However, anticipating and estimating the impact of a change in the application landscape is key, whatever the use case you’re currently handling (Cloud migration / application modernization, portfolio rationalization, etc.).

The Power is Yours: Custom Indicators

In case you missed it, the CAST Highlight last release notes announced many great new capabilities. We’re proud and excited to include Software Composition Analysis (SCA) as a compelling new feature, which brings a new angle to our Application Portfolio Analysis foundation. In addition to SCA, this release includes another game-changing capability – custom indicators. This blog will cover how to implement and use this great new feature.

Tutorial: How to build custom indicators using JIRA metrics and Highlight’s API

In this tutorial post, we’ll see how to use CAST Highlight’s API to import external metrics and automatically consolidate a custom indicator. With a few steps and basic scripting skills, you’ll be able to create a custom indicator based on the ratio between the number of open bugs in JIRA vs. the number of total issues. This is just an example to illustrate how you could combine Highlight’s Software Intelligence analytics with any result from other products in order to get an evermore comprehensive view on your application portfolio.

 

Technology Coverage

Detection & Sizing Metrics
Java
COBOL
SAP (Abap)
C/C++
C#
Objective-C
PHP
JavaScript
TypeScript
Python
JSP
Oracle PL/SQL
Microsoft Transact-SQL
Visual Basic
VB.Net
VBScript
VB6
PL1
Shell/Korn SHELL/BASH scripts
Ruby
Scala
Ada
Go
Groovy
Fortran
Coffeescript
Assembler
Delphi
Lua
Rust
Coldfusion
Erlang
REXX
F#
Lisp
SmallTalk
Matlab
R
Kotlin
SWIFT
Software Composition
Java
COBOL
SAP (Abap)
C/C++
C#
Objective-C
PHP
JavaScript
TypeScript
Python
JSP
Oracle PL/SQL
Microsoft Transact-SQL
Visual Basic
VB.Net
VBScript
VB6
PL1
Shell/Korn SHELL/BASH scripts
Ruby
Scala
Ada
Go
Groovy
Fortran
Coffeescript
Assembler
Delphi
Lua
Rust
Coldfusion
Erlang
REXX
F#
Lisp
SmallTalk
Matlab
R
Kotlin
SWIFT
Code Insights & Software Health
Java
COBOL
SAP (Abap)
C/C++
C#
Objective-C
PHP
JavaScript
TypeScript
Python
JSP
Oracle PL/SQL
Microsoft Transact-SQL
Visual Basic
VB.Net
VBScript
VB6
PL1
Shell/Korn SHELL/BASH scripts
Cloud Readiness Assessment
Java
C#
PHP
JavaScript
TypeScript
Python
Microsoft Transact-SQL
VB.Net

Video Tutorials

4620

Introduction (part 1)

Get a quick overview about CAST Highlight. Understand its missions, how it works as well as the use cases it supports.

3636

Analytics Consumption (part 2)

This tutorial walks you through the Analytics Consumption and describes several portfolio insights.

3635

Portfolio Configuration (part 3)

This tutorial demonstrates the main portfolio management capabilities to administrate the platform and the assessment campaigns.

3634

Application Assessment (part 4)

This tutorial assists your first steps as a Contributor and walks you through the application onboarding process.

Other “How To” videos

Highlight tools for DevOps and CI/CD integration

4912

Rest API

Highlight key metrics (e.g. health factor scores, lines of code, total cloud roadblocks, etc.) can be extracted from the platform to be integrated wherever it will make sense for your organization, using our public REST API.

4914

Command Line for Automated Scan

Highlight analyzers can now be run through a configurable command line, in order to automate source code scans and uploads (optionally). Want to get fresh analytics after each sprint or release, or even nightly build? It only takes minutes!

8637
Highlight’s Docker Image for Code Scans
Use our official Docker image that includes everything you need to scan your source code with CAST Highlight and makes easier and smoothier the integration within your CI/CD environments.
4915

Highlight Extensions & Integrations

Do you want to continuously scan source code and track Highlight analytics from favorite CI/CD tool? Highlight comes with extensions for Azure Devops. More plugins to be added soon…

Product Posts & Tutorials

Explore your OSS dependencies. Visually!

Software Composition Analysis is often perceived as a complex discipline, especially when you consider all its aspects such as license compliance, security vulnerability and technology obsolescence. This is particularly true when your application has about 100 or 200 Open Source components and you start digging into their own dependencies to try spotting hidden risks. The mission of the new OSS Dependency Explorer in Highlight is to make this exercise as easy and interactive as possible by consolidating Software Intelligence in a very visual way. See how in this post.

Feature Focus on Application Links

Unless you clearly understand the boundaries and technical interactions of each of your applications across your entire portfolio, it is a real challenge to consolidate the various software links, especially when you have hundreds or even thousands of apps. However, anticipating and estimating the impact of a change in the application landscape is key, whatever the use case you’re currently handling (Cloud migration / application modernization, portfolio rationalization, etc.).

Tutorial: How to build custom indicators using JIRA metrics and Highlight’s API

In this tutorial post, we’ll see how to use CAST Highlight’s API to import external metrics and automatically consolidate a custom indicator. With a few steps and basic scripting skills, you’ll be able to create a custom indicator based on the ratio between the number of open bugs in JIRA vs. the number of total issues. This is just an example to illustrate how you could combine Highlight’s Software Intelligence analytics with any result from other products in order to get an evermore comprehensive view on your application portfolio.

Transitive Dependencies: How much can you trust friends of your friends?

Friends of your friends are not necessarily your friends. In this post, we’ll see why it is important to get visibility on dependencies of the Open Source components your apps are using and how to manage security and license information of these transitive dependencies in CAST Highlight’s Software Composition Analysis dashboards.

Good practices when defining the scope of a code scan

In this post, we have compiled a few good practices to keep in mind when scanning a code base with CAST Highlight in order to let you consume the most consistent software analytics possible, depending on your use case (software health, open source detection for license compliance or vulnerability checks, etc.).

Software Composition in Highlight: How Open Source component detection works

CAST consolidates a unique database made of 44M+ Open Source components and 5B+ file fingerprints. This article details the concept and steps in Highlight to automatically retrieve the true origin of your source code, whether it is for license compliance, vulnerability or obsolescence verification.

How OSS licenses are mined and detected in Highlight’s Software Composition Analysis feature

CAST has developed unique algorithms to mine and detect licenses from Open Source components to let you get a (more accurate) sense of IP and legal impacts your software is exposed to. Here is how it works.

How to detect apps using Oracle’s JDK 1.8 (and others) at the portfolio level

As you probably already know, Oracle announced a major change of their release and support rules for Java. This article is not meant to explain how that’s going to work now, but long story short you’ll have to either a) update your JDK very fast; b) be exposed to unpatched (and perhaps vulnerable) Java versions […]

The Power is Yours: Custom Indicators

In case you missed it, the CAST Highlight last release notes announced many great new capabilities. We’re proud and excited to include Software Composition Analysis (SCA) as a compelling new feature, which brings a new angle to our Application Portfolio Analysis foundation. In addition to SCA, this release includes another game-changing capability – custom indicators. This blog will cover how to implement and use this great new feature.

How to estimate size and health of high frequency code iterations using the delta analysis feature

The "Application Trends" feature (also known as delta analysis) dramatically increases the value of using Highlight in an Agile context. In a nutshell, Highlight now computes software health scores and metrics of scanned source files based on their status, whether they have been added or modified during the last iteration. This post will explain how [...]

How to configure a Keyword Scan for GDPR (or anything else)

In this product tutorial, we'll see how to configure and take advantage of the Keyword Scan feature to support a GPDR assessment of your application portfolio. The feature can be used to search for any kind of keywords (API secret token or passwords in clear text for instance) but really makes sense in a GPDR [...]

How to run the Highlight Command Line from Apache Ant

Let’s in this article how to clone a repository from Github and run Highlight’s analyzers from Apache Ant, and upload scan results to the portal and quickly get unprecedented software Analytics.

How to integrate Highlight’s Command Line in a Jenkins Pipeline

As the Highlight command line is a real hit across users who want to automate the scan of their code bases, we thought it could be helpful to provide a series of templates and code samples for the different build tools where you would integrate our code scans. The script below illustrates how to integrate the command line within a Jenkins pipeline.

Highlight integrates into your ecosystem using our public API

The recent product release of CAST Highlight introduces our public API to let you share unprecedented Software Analytics and code-level health metrics with the rest of your technology ecosystem as well as automate actions on our platform. In this article we’ll review the API and what kind of new consumption usages it enables for Highlight [...]

Run Highlight code scans into your CI/CD environments

The concept of a scriptable command line is one of the pillars of Devops and the benefit of automation has made tasks like Cloud deployment, environment provisioning, database backup and software build more reliable and a huge time saver for developers. As many Devops heads say “throw away any piece of software you couldn’t run automatically”. Needless to say that a command line has now become a must-have in Highlight to continuously scan code and build software analytics.

Highlight Tutorial: Code Scan with the Local Agent

This tutorial demonstrates your first steps with CAST Highlight as a Contributor: How to activate your account How to download/install the Local Agent How to configure & scan your applications How to upload results to the platform How to access & answer the survey as an Application Owner  

Highlight Tutorial: First steps to manage your application portfolio

This tutorial demonstrates your first steps in the Highlight platform as a Portfolio Manager: How to activate your account How to create and manage domains to structure your portfolio How to invite/enroll users to the platform How to create an application How to attach applications and users to domains How to launch your first scan campaign […]