Highlight Automated Code Scan (Command Line)
This page details how to automate source code scans by leveraging the Highlight command line and integrating it within your build or CI/CD environments. This will allow you to continuously track and monitor software health and cloud readiness of your projects and applications. For any questions not addressed in this documentation, don’t hesitate to contact our support team.
Before getting started…
What is a Command Line?
Please read and accept the license agreement prior to downloading the command line.
How to use the command line
Examples
Find below some examples of options you can reuse for your own code scan configuration.
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --skipUpload
java -jar HighlightAutomation.jar --workingDir "/home/user/highlight-myproject/" --sourceDir "/home/user/svn/myproject/src/" --skipUpload
java -jar HighlightAutomation.jar –propertiesPath “C:\tmp\highlight.properties”
java -jar HighlightAutomation.jar --gitUrl https://github.com/googleapis/gax-go.git --sourceDir "C:\myproject\src" --workingDir "C:\temp\hlresults" --skipUpload
java -jar HighlightAutomation.jar --gitUrl https://github.com/private/repo.git --gitToken YOUR_GITHUB_TOKEN --sourceDir "C:\myproject\src" --workingDir "C:\temp\hlresults" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --technologies "Java,Python" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreDirectories "test,jquery" --skipUpload
java -jar HighlightAutomation.jar --sourceDir "C:\folder1" --sourceDir "C:\folder2" --workingDir "C:\temp" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths ".*\/vendor\/js" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths ".*test.*" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths "./test.*" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login "john.doe@acme.com" --password "*******" --applicationId 1234 --companyId 5678 --serverUrl "https://rpa.casthighlight.com"
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*\.js" --skipUpload
java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*\.vue" --skipUpload
java -jar HighlightAutomation.jar --uploadZipFile "C:\scans\HighlightResult.03_30_2022_14_40.zip" --serverUrl https://rpa.casthighlight.com --companyId 1234 --applicationId 5678 --tokenAuth *****-****-****-****-******* --workingDir "C:\temp"
java -jar HighlightAutomation.jar --dockerImageNameTag node#latest --includeArchiveContent=3 --workingDir "C:\temp" --skipUpload
Command Line Options
--help Displays the different options
--printTechnos Print the supported technologies (e.g. Java, Python, COBOL, etc.)
Scan Options
--propertiesPath (optional) The absolute path to the .properties file that will centralize and drive all other options of the command line.
--sourceDir (mandatory) The absolute path to the directory that contains the source code to be scanned by CAST Highlight.
--workingDir (mandatory) This is the absolute path to the Highlight working directory. Within this directory, a Highlight temporary folder ("HLTemporary") will be created and will contain scan result files (CSVs located in HLTemporary/analysis folder) and analysis log files (CSVs located in HLTemporary/discover folder). To make it short, this is the directory where you want to store scan results.
--technologies (optional) Technologies you want to explicitly scan in your sources. Separated by "," (See --printTechnos option above).
--ignoreDirectories (optional) Directory name patterns to ignore during the scan (e.g. test folders, .git, etc.). Separated by ",". Source code within directories matching with these patterns will be automatically excluded from the scan.
--ignorePaths (optional) List of regular expressions to ignore paths, separated by "|". Source code within directories matching with this regexp will be automatically excluded from the scan. Note that starting ^ and ending $ are implicit and don't need to be passed in this option. --ignoreFiles (optional) List of regular expression to ignore file names. Separated by ",". Files matching with these patterns will be automatically excluded from the scan. Example to exclude all files containing "foo" with a .js extension: --ignoreFiles ".*foo.*\.js"
--analyzerDir (optional) Alternate directory for Highlight's analyzer scripts.
--perlInstallDir (optional - applicable to Windows installations only) Directory of perl installation (default: C:\Users\{user}\AppData\Local\CAST Highlight Code Reader\strawberry\perl). Linux users can modify their PATH environment variable to control the location of the perl executable being used.
--keywordScan (optional) Path and filename of your KeywordScan XML configuration file (e.g. C:\temp\KeywordScanner_GDPR.xml). Read this post for more information on the feature.
--analyzeBigFiles (optional) Will bypass the file size limitation of the analyzers (will eventually take longer to scan).
--allowGeneratedCode (optional) Will bypass the default exclusion of generated code files.
--mavenRepository (optional) Path to local .m2 repository for better detection and version resolution of Maven-based dependencies.
--includeAllDependencies (optional) Will bypass the automatic filtering of indirect dependencies found in node_modules.
--includeArchiveContent={levelOfDepth} (optional) Will extract content of archives (.jar, .tar, .zip, .war files) and add it as part of the scan. {levelOfDepth} is the level of depth within archives you want to apply (e.g., "includeArchiveContent=2" will recursively look into 2 level of archive files). Note that this option can increase the scanning time. Although it is not recommended, you can use higher level of depth (max 99). Finally, note that scan of password-encrypted archives or symbolic link is not supported.
--dockerImageNameTage {imageName#tag} Will scan the Docker image corresponding to the provided tag (use '#' as a separator between image and tag). See this article for more information.--dockerImageNameTage {imageName#tag} Will scan the Docker image corresponding to the provided tag (use '#' as a separator between image and tag). See this article for more information.
--dbgMatchPatternDetail Will produce detailed files for Cloud/Green insights for our Visual Studio Code plugins
--gitUrl Github or Gitlab url of the repository to scan (e.g., https://github.com/MichaelMULLER/schoolbus.git)
--gitBranch (optional) The branch to download, if not included the default will be main
--gitToken (optional) The token used to access the private repository, if the repository is public, the token is not needed. This token is provided by your git installation (e.g., https://github.com/settings/tokens)
Upload Options
Below are the required options to use when you want to automatically upload scan results to the Highlight platform. Then, the option “–skipUpload” should be removed.
--login Login of an active Highlight user.
--password Password for the login indicated above.
--basicAuth Alternatively to login/password, you can use this option to pass your credentials encoded in base64
--tokenAuth (recommended) Alternatively to Basic authentication, you can use this option to pass your OAuth token --companyId (mandatory) Identifyer for the company (can be retrieved from the Highlight portal, it is the ID displayed in the url when clicking on the top-level domain in "MANAGE PORTFOLIO > MANAGE APPLICATIONS" from the menu).
--applicationId (mandatory) Identifyer for the application (can be retried from the Highlight portal, it is the ID displayed in the url when editing an application in "MANAGE PORTFOLIO > MANAGE APPLICATIONS").
--serverUrl (mandatory) The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. 'https://rpa.casthighlight.com'
--snapshotDatetime (optional) Time (epoch in milliseconds, e.g., 1728000000000) to use for uploaded application snapshot.
--snapshotLabel (optional) The application snapshot label you want to display on the application result page on the portal (e.g. release version, build number, etc.).
--skipUpload (optional) Will generate CSV results only, no result upload will be performed.
--appendResult(optional) This option will add uploaded result CSVs to existing/previously uploaded CSV results. This option should be combined with --skipSubmit if you expect further CSV result uploads from other scans for the same application.
--skipSubmit (optional) CSV results will be uploaded but this won't trigger the result processing (score calculations, component detection, etc.) by the CAST Highlight platform.
--zipResult (optional) This option will create a ZIP file containing CSV result files (e.g., --zipResult C:\\temp\\foo.zip).
--uploadZipFile (optional) This option will upload a ZIP file containing result CSVs without running a code scan (e.g., --uploadZipFile C:\temp\foo.zip). Note that the --workingDir option must be present.
Log files
The log file (HLAutomation.log) is produced after the command line is run and is stored in the working directory (–workingDir) that has been set in the options.
If you perform operation in your build environment (prefered solution)
You may directly add –mavenRepository <path_to_m2_folder> to indicate the local maven repository location and ensure build as already been done.
Otherwise, you’ll have to install Maven on your machine and have access to maven external repositories required for your application.
- Download and install Maven (https://maven.apache.org/install.html)
- From the source folder where the root pom.xml is, run the following Maven command which will calculate the exact dependencies and versions of the project:
$> mvn clean install
$> mvn org.apache.maven.plugins:maven-dependency-plugin:3.8.0:tree
- Ensure that maven m2 repository is available and can be read. Windows : default configuration is to have repository in C:\Users\<username>\.m2. Check the visibility status (hidden option in windows explorer). Linux/Mac: check owner and right available on directory, should be at least “read”.
- Scan the source folder with the Command Line with –mavenRepository <path_to_m2_folder>, optionally with the option –includeAllDependencies if you want to get the whole dependency tree
- If your application also uses NPM for JavaScript dependency management, we recommend adding the option –ignoreDirectories “node_modules” to exclude third-party phyisical libraries from the results and to get cleaner Software Composition results
- To ensure that option is correctly working check data in framework.validated.csv, with option activated more components should be reported with a version defined.
Example
$> java -jar HighlightAutomation.jar --sourceDir "C:\source" --workingDir "C\source\hlresults" --mavenRepository "C:\Users\<username>\.m2" --ignoreDirectories "node_modules" --skipUpload
Proxy with no password
-Dhttps.proxyHost=<your proxy host>
-Dhttps.proxyPort=<your proxy port>
Proxy with credentials:
If a password is required, add the following additional parameter
-Dhttps.proxyUser=<user>
-Dhttps.proxyPassword=<password>
Example
java -Dhttps.proxyHost=your proxy host -Dhttps.proxyPort=your proxy port -Dhttps.proxyUser=user -Dhttps.proxyPassword=password -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login xxx --password xxxx
Requirements
Java
—-
Java 11 minimum is required
$> java -version
Requirements for Linux – Debian based systems:
Perl
—-
Embedded Perl 5.xx + perl librairies:
Digest::SHA
XML::LibXML
JSON
Time::HiRes
Math::BigInt
To check perl version:
$> perl -v
To install the above libraries
$> sudo cpan Digest::SHA
$> sudo cpan XML::LibXML
$> sudo cpan JSON
$> sudo cpan Time::HiRes
$> sudo cpan Math::BigInt
Requirements for Windows:
Perl
—-
Prior to using the command line, and if you don’t want to install CAST Highlight Code Reader, you’ll have to install the Strawberry 5.40.0.1 distribution: https://strawberryperl.com
You can use this link:
https://github.com/StrawberryPerl/Perl-Dist-Strawberry/releases/download/SP_54001_64bit_UCRT/strawberry-perl-5.40.0.1-64bit.msi
Requirements for macOS
For macOS users, using our Docker image is recommended to run the command line as a container.
For SSO/SAML users
SSO/SAML users must use user tokens to authenticate and upload result files to the CAST Highlight platform. See how the feature works.
0 – Ok
1 – Command Line general failure
2 – Command Line options parse error
3 – Command Line techno discovery error
4 – Command Line analysis error
5 – Command Line result upload error
6 – Command Line source dir or output dir validation error
7 – Command Line result saving to zip file error
8 – Command Line upload from zip file error
CLI logs
Running the command line will create an HLAutomation.log that contains traces of a scan. This file is located in the specificed working directory (–workingDir).
Generated Code exclusion
By default, the command line excludes files that are known as generated code. These files are following the patterns below. In case you would want to scan these files, use the –allowGeneratedCode option.
*.designer.vb, *.designer.cs, *.reference.cs, *.reference.vb
Integration Templates & Tutorials
Portfolio Advisor for AWS Transform, an automated way to accelerate .NET modernization: Segmentation Criteria
Migrating custom applications from .NET Framework to .NET Core is can deliver several benefits including: cost efficiency, higher performance, improved security and better maintainability. Due to its cross-platform compatibility, .NET Core applications can run on different operating systems, including Linux, providing greater flexibility and reducing infrastructure costs.
Application Grouping
CAST Highlight has a new way to aggregate application insights that gives users significant flexibility. The Application Grouping capability enables users to group multiple scanned applications into a new application group and view consolidated data. Learn how it works in this article.
OSS Dependency Map: Scan configuration for optimal results
This product post provides guidance and requirements for preparing source code and configuring scans of your application to take full advantage of the OSS Dependency Map feature.
Feature Focus: AI Advisor
The CAST Highlight product team is always striving to make the user experience seamless and productive. Today, we’re excited to announce the launch of a new capability that will deeply impact the way you interact with the product: the AI Advisor. See in this article how to set it up and use it.
Feature Focus: Cloud Migration Wave Advisor
CAST Highlight helps users determine the ideal sequence of applications to move to the cloud by automatically segmenting a portfolio based on multiple dimensions. Learn in this article how the Cloud Migration Wave Advisor works.
Feature Focus: CISA’s Known Exploited Vulnerability Insights
CAST Highlight now incorporates CISA’s KEV (Known Exploited Vulnerabilities) database to complement CVE information and help organizations prioritize vulnerability remediation efforts. See in this article how to access and use this new software intelligence.
Feature Focus: Personalized User Home Pages
CAST Highlight enables you to define the content of your home page by adding widgets that display the insights that matter the most to you. Learn how to use the feature in this article.
Feature Focus: OSS Component Lifespan Insights
CAST Highlight automatically calculates a lifespan status on open-source software (OSS) components. This status identifies whether a component is active, possibly deprecated, or immature. See in this article how the feature works and how to leverage this new SCA insight for more informed decisions.