Highlight Automated Code Scan (Command Line)

This page details how to automate source code scans by leveraging the Highlight command line and integrating it within your build or CI/CD environments. This will allow you to continuously track and monitor software health and cloud readiness of your projects and applications. For any questions not addressed in this documentation, don’t hesitate to contact our support team.

Before getting started…

What is a Command Line?

For those who are not familiar with this concept, the Highlight command line is a Java binary which can be programmatically run using scripts and/or automated tasks. It replaces the Local Agent user interface using options you can configure in order to automate the code scan and results upload. In other words, you can configure the command line once to automatically scan the source code of a folder multiple times. You can also exclude (for instance) some technologies/folders you don’t want to scan, and upload the results automatically to the SaaS platform on a regular timeline (e.g., every sprint/release).

Also, note that you can also run the command line as a Docker container.

More information on this Docker image

Download the Command Line 5.1.34

Please read and accept the license agreement prior to downloading the command line.

I have read and agree with the end-user license agreement

Download

How to use the command line

Examples

Find below some examples of options you can reuse for your own code scan configuration.

A simple code scan of a Windows folder

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src"  --skipUpload

A simple code scan of a Linux folder

java -jar HighlightAutomation.jar --workingDir "/home/user/highlight-myproject/" --sourceDir "/home/user/svn/myproject/src/"  --skipUpload

Scan only specific technologies (e.g. Java and Python)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --technologies "Java,Python" --skipUpload

Exclude folders with a specific pattern (e.g. test, jquery)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreDirectories "test,jquery" --skipUpload

Scan and automatically upload results to the platform

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login "john.doe@acme.com" --password "*******" --applicationId 1234 --companyId 5678 --serverUrl "https://rpa.casthighlight.com"

Command Line Options

--help
 Displays the different options

--printTechnos
 Print the supported technologies (e.g. Java, Python, COBOL, etc.)

Scan Options

--sourceDir (mandatory)
 The absolute path to the directory that contains the source code to be scanned by Highlight.

--workingDir (mandatory)
 This is the absolute path to the Highlight working directory. Within this directory, a Highlight temporary folder ("HLTemporary") will be created and will contain scan result files (CSVs). To make it short, this is the directory where you want to store scan results.

--technologies (optional)
 Technologies you want to explicitly scan in your sources. Separated by "," and sorted by preferences (See --printTechnos option above).

--ignoreDirectories (optional)
 Directory name patterns to ignore during the scan (e.g. test folders, .git, etc.). Separated by ",". Source code within directories matching with these patterns will be automatically excluded from the scan.

--ignoreFiles (optional)
List of regular expression to ignore file names. Separated by ",". Files matching with these patterns will be automatically excluded from the scan.

--analyzerDir (optional) Alternate directory for Highlight's analyzer scripts.

--perlInstallDir (optional)
 Directory of perl installation (default: C:\Program Files\CAST\HighlightAgent\COTS\strawberry-perl-5.12.3.0).

--keywordScan (optional)
 Path and filename of your KeywordScan XML configuration file (e.g. C:\temp\KeywordScanner_GDPR.xml). Read this post for more information on the feature.

--skipUpload (optional)
 Will generate CSV results only, no result upload will be performed.

Upload Options

Below are the required options to use when you want to automatically upload scan results to the Highlight platform. Then, the option “–skipUpload” should be removed.

--login (mandatory)
 Login of an active Highlight user.

--password (mandatory)
 Password for the login indicated above.

--basicAuth
Alternatively to login/password, you can use this option to pass your credentials encoded in base64

--companyId (mandatory)
 Identifyer for the company (can be retrieved from the Highlight portal, it is the ID displayed in the url when clicking on the top-level domain in "MANAGE PORTFOLIO > MANAGE APPLICATIONS" from the menu).

--applicationId (mandatory)
 Identifyer for the application (can be retried from the Highlight portal, it is the ID displayed in the url when editing an application in "MANAGE PORTFOLIO > MANAGE APPLICATIONS").

--serverUrl (mandatory)
 The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. 'https://rpa.casthighlight.com'

--snapshotDatetime (optional)
 Time (epoch) to use for uploaded application snapshot.

--snapshotLabel (optional) The application snapshot label you want to display on the application result page on the portal (e.g. release version, build number, etc.).

Log files

The log file (HLAutomation.log) is produced after the command line is run and is stored in the working directory (–workingDir) that has been set in the options.

Requirements

For Windows
Prior using the command line, it is preferable to install the Highlight Local Agent on your machine, in order to embed the required Perl binaries. Alternatively, you can install the required Perl distribution (Strawberry) if you don’t want to install the Local Agent. The Local Agent can be downloaded from your Highlight user account, in the APPLICATION SCANS page.

For Linux

The following components must be installed on your machine: Perl 5 (tested on Strawberry 5.12.3.0), libjson-perl, libxml-libxml-perl

$>perl -v
on debian/ubuntu systems
$>dpkg –get-selections libxml-libxml-perl libjson-perl
Java 8
$>java -version

For MacOS (tested on Sierra)

The following components must be installed on your machine: Perl 5 (5.2.18), libjson-perl, libxml-libxml-perl

$>perl -v

$>cpan install XML::LibXML
$>cpan install JSON

Integration Templates & Tutorials

Feature Focus: CloudReady Effort Estimate

This is probably the most anticipated metric since we launched the CloudReady feature three years ago: getting an estimate of the effort required to remove Cloud blockers CAST Highlight detects across hundreds of patterns. This article describes how to use this new metric and how to build your own Cloud effort profile.

Feature Focus: Preventing the Use of Risky OSS Components Across the Enterprise

CAST Highlight scans your applications and automatically detects the third-party components in use along with consolidated metadata such as vulnerabilities (CVEs), licenses, version release date, etc. that may put your organization at risk. However, spotting a weak Open Source component while the application is already in production may be too late as the component is already integrated in your app, possibly for years. The challenge is to prevent the selection of a dangerous library at the earliest stage possible, well before it is referenced or implemented in your applications. This product post describes the new Component Catalog feature that allows users to search components and manage approved and unauthorized components across your portfolio.

Best practices on how to setup CAST Highlight campaigns for optimal results

CAST Highlight allows you to consolidate Software Intelligence analytics at the portfolio level, in a lightning-fast manner thanks to a simple workflow. However, onboarding hundreds of apps in a few days may require a bit of preparation to ensure your campaigns will be well-architected and optimized for future iterations. This article details the key criteria you should consider, the common pitfalls to avoid, and best practices to implement before starting.

How to build a Windows-based Docker image for CAST Highlight code scans

Our Docker image allows you to run the command line to scan your apps, as a Linux-based container. While it woks for most of organizations, some users may need to run it as a Windows-based container. This article details the few steps required to build your own Windows-based image, run the container and scan your first application with CAST Highlight.

Open Source Safety

Open Source Safety indicates the use of 3rd-party components that comply with security, license and age requirements.

Tutorial: How to run our Docker scan image from Azure DevOps pipelines

As you may know, we recently published on Docker Hub an image that you can run as a container which includes everything you need to scan your application with CAST Highlight’s analyzers without having to worry about the libraries you need to install, the compatibility of your OS, etc. One of the big advantages of Docker is that it’s now available from almost all popular CI/CD tools such as Jenkins, Bamboo, Azure DevOps, etc. In this tutorial, you’ll learn how to use our Docker image from Azure DevOps.

Software Health

Definition Software Health indicated how your application complies with programming best practices that increase resiliency, improve agility and reduce complexity. Software Health score is the straight average of Software Resiliency, Software Agility and Software Elegance scores. Thresholds Thresholds used for Software Health categories: High (green): value > 78.0 Medium (orange): value >= 58.0 Low (red): [...]

How to import / export apps, domains and users in bulk from Excel

This post explains how to easily import or export a list of users, domains and applications in bulk from an Excel file with CAST Highlight, without any API skills required.