Highlight Automated Code Scan (Command Line)

This page details how to automate source code scans by leveraging the Highlight command line and integrating it within your build or CI/CD environments.  This will allow you to continuously track and monitor software health and cloud readiness of your projects and applications. For any questions not addressed in this documentation, don’t hesitate to contact our support team.

Before getting started…

What is a Command Line?

For those who are not familiar with this concept, the Highlight command line is a Java binary which can be programmatically run using scripts and/or automated tasks. It replaces the Local Agent user interface using options you can configure in order to automate the code scan and results upload. In other words, you can configure the command line once to automatically scan the source code of a folder multiple times.  You can also exclude (for instance) some technologies/folders you don’t want to scan, and upload the results automatically to the SaaS platform on a regular timeline (e.g., every sprint/release).

Also, note that you can also run the command line as a Docker container. Our Docker is especially recommended for MacOS users.
Download the Command Line 5.3.12

Please read and accept the license agreement prior to downloading the command line.

I have read and agree with the end-user license agreement

How to use the command line


Find below some examples of options you can reuse for your own code scan configuration.

A simple code scan of a Windows folder

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src"  --skipUpload

A simple code scan of a Linux folder

java -jar HighlightAutomation.jar --workingDir "/home/user/highlight-myproject/" --sourceDir "/home/user/svn/myproject/src/"  --skipUpload

Scan only specific technologies (e.g. Java and Python)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --technologies "Java,Python" --skipUpload

Exclude folders with a specific pattern (e.g. test, jquery)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreDirectories "test,jquery" --skipUpload

Scan and automatically upload results to the platform

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login "john.doe@acme.com" --password "*******" --applicationId 1234 --companyId 5678 --serverUrl "https://rpa.casthighlight.com"

Exclude files from the scan if they contain “foo” in the file name independently of the extension

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*" --skipUpload

Exclude files from the scan if they contain “foo” name and have a .js extension

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*\.js" --skipUpload

Exclude files from the scan based on a specific file extension (e.g. .vue)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*\.vue" --skipUpload

Command Line Options

 Displays the different options
 Print the supported technologies (e.g. Java, Python, COBOL, etc.)

Scan Options

--sourceDir (mandatory)
 The absolute path to the directory that contains the source code to be scanned by Highlight.
--workingDir (mandatory)
 This is the absolute path to the Highlight working directory. Within this directory, a Highlight temporary folder ("HLTemporary") will be created and will contain scan result files (CSVs). To make it short, this is the directory where you want to store scan results.
--technologies (optional)
 Technologies you want to explicitly scan in your sources. Separated by "," and sorted by preferences (See --printTechnos option above).
--ignoreDirectories (optional)
 Directory name patterns to ignore during the scan (e.g. test folders, .git, etc.). Separated by ",". Source code within directories matching with these patterns will be automatically excluded from the scan.
--ignoreFiles (optional)
List of regular expression to ignore file names. Separated by ",". Files matching with these patterns will be automatically excluded from the scan. Example to exclude all files containing "foo" with a .js extension: --ignoreFiles ".*foo.*\.js"
--analyzerDir (optional) Alternate directory for Highlight's analyzer scripts.
--perlInstallDir (optional)
 Directory of perl installation (default: C:\Program Files\CAST\HighlightAgent\COTS\strawberry-perl-
--keywordScan (optional)
 Path and filename of your KeywordScan XML configuration file (e.g. C:\temp\KeywordScanner_GDPR.xml). Read this post for more information on the feature.
--skipUpload (optional)
 Will generate CSV results only, no result upload will be performed.

Upload Options

Below are the required options to use when you want to automatically upload scan results to the Highlight platform. Then, the option “–skipUpload” should be removed.

--login (mandatory)
 Login of an active Highlight user.
--password (mandatory)
 Password for the login indicated above.
Alternatively to login/password, you can use this option to pass your credentials encoded in base64
--companyId (mandatory)
 Identifyer for the company (can be retrieved from the Highlight portal, it is the ID displayed in the url when clicking on the top-level domain in "MANAGE PORTFOLIO > MANAGE APPLICATIONS" from the menu).
--applicationId (mandatory)
 Identifyer for the application (can be retried from the Highlight portal, it is the ID displayed in the url when editing an application in "MANAGE PORTFOLIO > MANAGE APPLICATIONS").
--serverUrl (mandatory)
 The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. 'https://rpa.casthighlight.com'
--snapshotDatetime (optional)
 Time (epoch) to use for uploaded application snapshot.
--snapshotLabel (optional) The application snapshot label you want to display on the application result page on the portal (e.g. release version, build number, etc.).

Log files

The log file (HLAutomation.log) is produced after the command line is run and is stored in the working directory (–workingDir) that has been set in the options.


For Windows
Prior using the command line, it is preferable to install the Highlight Local Agent on your machine, in order to embed the required Perl binaries. Alternatively, you can install the required Perl distribution (Strawberry) if you don’t want to install the Local Agent. The Local Agent can be downloaded from your Highlight user account, in the APPLICATION SCANS page.


For Linux

The following components must be installed on your machine: Perl 5 (tested on Strawberry, libjson-perl, libxml-libxml-perl

$>perl -v
on debian/ubuntu systems
$>dpkg –get-selections libxml-libxml-perl libjson-perl
Java 8
$>java -version


For MacOS

For MacOS users, using our Docker image is recommended to run the command line as a container.

$>perl -v

$>cpan install XML::LibXML
$>cpan install JSON

Integration Templates & Tutorials

Feature Focus: Cloud Containerization Insights

CAST Highlight’s new insights on containerization will help you understand exactly where and how an application needs to change. This article explains the benefits of application containerization and how to get containerization insights from CAST Highlight’s dashboards, exports, and API.

Feature Focus: Enhanced Technical Debt Estimates

Technical Debt is useful measure to analyze the health of an application portfolio and start prioritizing and quantifying remediation effort. We recently revisited and enhanced the Technical Debt calculation in CAST Highlight to increase estimate accuracy, to make it more flexible, and to deliver more actionable insights. Read this article to learn more about these enhancements, the impact on current results and the features it enables. This change will take effect on December 12, 2020.

Feature Focus: How to manage third-party components and vulnerabilities in SCA results

CAST Highlight recently introduced new Software Composition Analysis (SCA) features that help users better manage, filter and tag detected Open Source components and related vulnerabilities across application portfolios. This article describes each of these features and how to use them to get the most accurate and actionable insights.

Feature Focus: Extending Software Intelligence insights by leveraging the Custom Dashboards feature

CAST Highlight comes with a series of dashboards that combine Software Intelligence analytics to help you better manage your application portfolio and make informed decisions. While application portfolio rationalization, software health monitoring, Cloud readiness assessment, and Open Source risk management are typical use cases that are supported through our set of out-of-the-box data visualizations, some […]

Language localization in CAST Highlight dashboards

CAST Highlight dashboards are available in different languages. This article shows how localization is managed and how to switch from a language to another.

Feature Focus: Cloud Service Recommendations, a step further in your Cloud journey

CAST Highlight excels at identifying code Blockers an application could encounter during a Cloud migration and recognizing cloud Boosters or effective PaaS service implementations in a code base that would make the move easier. The next step is to recommend specific PaaS services at both the portfolio and application levels that are good candidates to adopt after migration based on the technical characteristics of the application. This is now available in CAST Highlight for AWS and Azure and will save Chief Cloud Architects precious time. This article describes how the feature works and how to best leverage it in your organization.

Feature Focus: CloudReady Effort Estimate

This is probably the most anticipated metric since we launched the CloudReady feature three years ago: getting an estimate of the effort required to remove Cloud blockers CAST Highlight detects across hundreds of patterns. This article describes how to use this new metric and how to build your own Cloud effort profile.

Feature Focus: Preventing the Use of Risky OSS Components Across the Enterprise

CAST Highlight scans your applications and automatically detects the third-party components in use along with consolidated metadata such as vulnerabilities (CVEs), licenses, version release date, etc. that may put your organization at risk. However, spotting a weak Open Source component while the application is already in production may be too late as the component is already integrated in your app, possibly for years. The challenge is to prevent the selection of a dangerous library at the earliest stage possible, well before it is referenced or implemented in your applications. This product post describes the new Component Catalog feature that allows users to search components and manage approved and unauthorized components across your portfolio.