Highlight Automated Code Scan (Command Line)
This page details how to automate source code scans by leveraging the Highlight command line and integrating it within your build or CI/CD environments. This will allow you to continuously track and monitor software health and cloud readiness of your projects and applications. For any questions not addressed in this documentation, don’t hesitate to contact our support team.
Before getting started…
What is a Command Line?
For those who are not familiar with this concept, the Highlight command line is a Java binary which can be programmatically run using scripts and/or automated tasks. It replaces the Local Agent user interface using options you can configure in order to automate the code scan and results upload. In other words, you can configure the command line once to automatically scan the source code of a folder multiple times. You can also exclude (for instance) some technologies/folders you don’t want to scan, and upload the results automatically to the SaaS platform on a regular timeline (e.g., every sprint/release).
Please read and accept the license agreement prior to downloading the command line.
How to use the command line
Examples
Find below some examples of options you can reuse for your own code scan configuration.
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --skipUpload
java -jar HighlightAutomation.jar --workingDir "/home/user/highlight-myproject/" --sourceDir "/home/user/svn/myproject/src/" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --technologies "Java,Python" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreDirectories "test,jquery" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths ".*\/vendor\/js" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login "john.doe@acme.com" --password "*******" --applicationId 1234 --companyId 5678 --serverUrl "https://rpa.casthighlight.com"
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*\.js" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*\.vue" --skipUpload
Command Line Options
--help Displays the different options
--printTechnos Print the supported technologies (e.g. Java, Python, COBOL, etc.)
Scan Options
--sourceDir (mandatory) The absolute path to the directory that contains the source code to be scanned by Highlight.
--workingDir (mandatory)
This is the absolute path to the Highlight working directory. Within this directory, a Highlight temporary folder ("HLTemporary") will be created and will contain scan result files (CSVs). To make it short, this is the directory where you want to store scan results.
--technologies (optional) Technologies you want to explicitly scan in your sources. Separated by "," and sorted by preferences (See --printTechnos option above).
--ignoreDirectories (optional) Directory name patterns to ignore during the scan (e.g. test folders, .git, etc.). Separated by ",". Source code within directories matching with these patterns will be automatically excluded from the scan.
--ignorePaths (optional) List of regular expressions to ignore paths. Source code within directories matching with this regexp will be automatically excluded from the scan. --ignoreFiles (optional) List of regular expression to ignore file names. Separated by ",". Files matching with these patterns will be automatically excluded from the scan. Example to exclude all files containing "foo" with a .js extension: --ignoreFiles ".*foo.*\.js"
--analyzerDir (optional) Alternate directory for Highlight's analyzer scripts.
--perlInstallDir (optional) Directory of perl installation (default: C:\Program Files\CAST\HighlightAgent\COTS\strawberry-perl-5.12.3.0).
--keywordScan (optional) Path and filename of your KeywordScan XML configuration file (e.g. C:\temp\KeywordScanner_GDPR.xml). Read this post for more information on the feature.
--skipUpload (optional) Will generate CSV results only, no result upload will be performed.
--analyzeBigFiles (optional) Will bypass the file size limitation of the analyzers (will eventually take longer to scan).
--allowGeneratedCode(optional) Will bypass the default exclusion of generated code files.
Upload Options
Below are the required options to use when you want to automatically upload scan results to the Highlight platform. Then, the option “–skipUpload” should be removed.
--login (mandatory) Login of an active Highlight user.
--password (mandatory) Password for the login indicated above.
--basicAuth Alternatively to login/password, you can use this option to pass your credentials encoded in base64
--tokenAuth Alternatively to Basic authentication, you can use this option to pass your OAuth token --companyId (mandatory) Identifyer for the company (can be retrieved from the Highlight portal, it is the ID displayed in the url when clicking on the top-level domain in "MANAGE PORTFOLIO > MANAGE APPLICATIONS" from the menu).
--applicationId (mandatory) Identifyer for the application (can be retried from the Highlight portal, it is the ID displayed in the url when editing an application in "MANAGE PORTFOLIO > MANAGE APPLICATIONS").
--serverUrl (mandatory) The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. 'https://rpa.casthighlight.com'
--snapshotDatetime (optional) Time (epoch) to use for uploaded application snapshot.
--snapshotLabel (optional) The application snapshot label you want to display on the application result page on the portal (e.g. release version, build number, etc.).
Log files
The log file (HLAutomation.log) is produced after the command line is run and is stored in the working directory (–workingDir) that has been set in the options.
Requirements
Prior using the command line, it is preferable to install the Highlight Local Agent on your machine, in order to embed the required Perl binaries. Alternatively, you can install the required Perl distribution (Strawberry) if you don’t want to install the Local Agent. The Local Agent can be downloaded from your Highlight user account, in the APPLICATION SCANS page.
For Linux Debian/Ubuntu
The following components must be installed on your machine: Perl 5 (tested on Strawberry 5.12.3.0), libjson-perl, libxml-libxml-perl
$>perl -v
on debian/ubuntu systems
$>dpkg –get-selections libxml-libxml-perl libjson-perl
Java 8
$>java -version
For Linux – RHEL/CENTOS based systems
Install the libraries: perl-XML-LibXML, perl-JSON and perl-Digest-SHA
$>yum -y install perl-Digest-SHA
$>yum -y install perl-JSON
$>yum -y install perl-XML-LibXML
$>yum -u install perl-Time-HiRes
$>yum -u install perl-Math-BigInt
For MacOS
For MacOS users, using our Docker image is recommended to run the command line as a container.
$>perl -v
$>cpan install XML::LibXML
$>cpan install JSON
0 – Ok
1 – Command Line general failure
2 – Command Line options parse error
3 – Command Line techno discovery error
4 – Command Line analysis error
5 – Command Line result upload error
6 – Command Line source dir or output dir validation error
7 – Command Line result saving to zip file error
8 – Command Line upload from zip file error
CLI logs
Running the command line will create an HLAutomation.log that contains traces of a scan. This file is located in the specificed working directory (–workingDir).
Generated Code exclusion
By default, the command line excludes files that are known as generated code. These files are following the patterns below. In case you would want to scan these files, use the –allowGeneratedCode option.
*.designer.vb, *.designer.cs, *.reference.cs, *.reference.vb
Integration Templates & Tutorials
API change notice on getting application snapshot results
In order to improve performance of the API, we’re slightly changing the default returned result of the following endpoint: GET WS2/domains/{domainId}/applications/{applicationId} Instead of returning the last 10 snapshot results of an application by default, the API will now return the last snapshot only. This change will be effective as of November 6th 2021. To fetch […]
Feature Focus: Portfolio Advisor for Open Source, an automated and smart way to segment an application portfolio better prioritizing third-party component risks
We are very proud to present the Portfolio Advisor for Open Source which joins the growing family of Portfolio Advisors that have already been released for Cloud and Technical Debt. This capability automatically segments a portfolio of applications and identifies Open Source risk priorities for each application by combining unique Software Intelligence insights. Learn more about how the capability works in this article.
Feature Focus: Custom Portfolio Segmentation
Similar to the recent Portfolio Advisors for Cloud and Open Source, this capability allows portfolio managers to create their own custom portfolio segmentations based on a combination of Software Intelligence insights available in CAST Highlight. This article describes how it works and how to use this capability.
Feature Focus: How to use Github Actions to scan your repositories with CAST Highlight
Github Actions are workflows that you can use on your repositories based on specific triggers. This is the perfect place to run CAST Highlight scans in an automated fashion. This article explains how to get a CAST Highlight action from Github Action marketplace and customize it to your needs.
Feature Focus: Multi-Cloud Readiness Insights
CAST Highlight detects the use of vendor-specific PaaS services that could prevent or hinder an application from being deployed across multiple cloud platforms. This article describes the Multi-Cloud Readiness Insights feature we recently implemented.
Feature Focus: Portfolio Advisor for Technical Debt
We recently enhanced the Technical Debt calculation in CAST Highlight which has enabled new possibilities to visualize and analyze the Technical Debt of an application portfolio. One such scenario is automated prioritization of recommended remediation efforts using the new Portfolio Advisor for Technical Debt. This article explains how the Portfolio Advisor for Technical Debt works and how to use it to build informed action plans for tackling Technical Debt across an application portfolio.
Feature Focus: Re-calculate Software Health scores in real-time based on folder exclusions
This article explains how to use the CAST Highlight feature that allows users to re-calculate the Software Health scores and sizing metrics of an application in real-time based on specific folder exclusions directly in the user interface.
Feature Focus: How to use Application Tags?
Tags are a very powerful complement to domains and other filters (technologies, survey questions, etc.) as they provide an extra layer of flexibility to organize and visualize your portfolio. This article explains how to create and manage them to filter, segment and organize your application portfolio in CAST Highlight