Highlight Automated Code Scan (Command Line)

This page details how to automate source code scans by leveraging the Highlight command line and integrating it within your build or CI/CD environments.  This will allow you to continuously track and monitor software health and cloud readiness of your projects and applications. For any questions not addressed in this documentation, don’t hesitate to contact our support team.

Before getting started…

What is a Command Line?

For those who are not familiar with this concept, the Highlight command line is a Java binary which can be programmatically run using scripts and/or automated tasks. It replaces the Local Agent user interface using options you can configure in order to automate the code scan and results upload. In other words, you can configure the command line once to automatically scan the source code of a folder multiple times.  You can also exclude (for instance) some technologies/folders you don’t want to scan, and upload the results automatically to the SaaS platform on a regular timeline (e.g., every sprint/release).

Also, note that you can also run the command line as a Docker container. Our Docker is especially recommended for MacOS users.
Download the Command Line 5.4.70
5046

Please read and accept the license agreement prior to downloading the command line.

I have read and agree with the end-user license agreement

How to use the command line

Examples

Find below some examples of options you can reuse for your own code scan configuration.

A simple code scan of a Windows folder

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src"  --skipUpload

A simple code scan of a Linux folder

java -jar HighlightAutomation.jar --workingDir "/home/user/highlight-myproject/" --sourceDir "/home/user/svn/myproject/src/"  --skipUpload

Use of a .properties file to centralize all options of the command line

java -jar HighlightAutomation.jar –propertiesPath “C:\tmp\highlight.properties”

Read this article for more details

Scan only specific technologies (e.g. Java and Python)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --technologies "Java,Python" --skipUpload

Exclude folders with a specific string (e.g. test, jquery)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreDirectories "test,jquery" --skipUpload

Exclude paths with a specific pattern (e.g. vendor/js)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths ".*\/vendor\/js" --skipUpload

Exclude paths containing a specific string (e.g. pretestFolder)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths ".*test.*" --skipUpload

Exclude paths starting with a specific string (e.g. testFolder)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignorePaths "./test.*" --skipUpload

Scan and automatically upload results to the platform

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --login "john.doe@acme.com" --password "*******" --applicationId 1234 --companyId 5678 --serverUrl "https://rpa.casthighlight.com"

Exclude files from the scan if they contain “foo” in the file name independently of the extension

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*" --skipUpload

Exclude files from the scan if they contain “foo” name and have a .js extension

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*foo.*\.js" --skipUpload

Exclude files from the scan based on a specific file extension (e.g. .vue)

java -jar HighlightAutomation.jar --workingDir "C:\highlight-myproject" --sourceDir "C:\myproject\src" --ignoreFiles ".*\.vue" --skipUpload

Upload a result Zip file of an application that was previously scanned

java -jar HighlightAutomation.jar --uploadZipFile "C:\scans\HighlightResult.03_30_2022_14_40.zip" --serverUrl https://rpa.casthighlight.com --companyId 1234 --applicationId 5678 --tokenAuth *****-****-****-****-******* --workingDir "C:\temp"

Command Line Options

--help
 Displays the different options
--printTechnos
 Print the supported technologies (e.g. Java, Python, COBOL, etc.)

Scan Options

--propertiesPath (optional)
The absolute path to the .properties file that will centralize and drive all other options of the command line.
--sourceDir (mandatory)
 The absolute path to the directory that contains the source code to be scanned by CAST Highlight.
--workingDir (mandatory)
 This is the absolute path to the Highlight working directory. Within this directory, a Highlight temporary folder ("HLTemporary") will be created and will contain scan result files (CSVs located in HLTemporary/analysis folder) and analysis log files (CSVs located in HLTemporary/discover folder). To make it short, this is the directory where you want to store scan results.
--technologies (optional)
 Technologies you want to explicitly scan in your sources. Separated by "," (See --printTechnos option above).
--ignoreDirectories (optional)
 Directory name patterns to ignore during the scan (e.g. test folders, .git, etc.). Separated by ",". Source code within directories matching with these patterns will be automatically excluded from the scan.
--ignorePaths (optional) List of regular expressions to ignore paths, separated by "|". Source code within directories matching with this regexp will be automatically excluded from the scan. Note that starting ^ and ending $ are implicit and don't need to be passed in this option.

--ignoreFiles (optional)
List of regular expression to ignore file names. Separated by ",". Files matching with these patterns will be automatically excluded from the scan. Example to exclude all files containing "foo" with a .js extension: --ignoreFiles ".*foo.*\.js"
--analyzerDir (optional) Alternate directory for Highlight's analyzer scripts.
--perlInstallDir (optional)
 Directory of perl installation (default: C:\Program Files\CAST\HighlightAgent\COTS\strawberry-perl-5.12.3.0).
--keywordScan (optional)
 Path and filename of your KeywordScan XML configuration file (e.g. C:\temp\KeywordScanner_GDPR.xml). Read this post for more information on the feature.
--skipUpload (optional)
 Will generate CSV results only, no result upload will be performed.
--analyzeBigFiles (optional)
 Will bypass the file size limitation of the analyzers (will eventually take longer to scan).
--allowGeneratedCode(optional) Will bypass the default exclusion of generated code files.
--includeAllDependencies (optional) Will bypass the automatic filtering of indirect dependencies found in node_modules.
--includeArchiveContent {levelOfDepth} (optional) Will extract content of archives (.jar, .zip files) and add it as part of the scan. {levelOfDepth} is the level of depth within archives you want to apply (e.g., "includeArchiveContent 2" will recursively look into 2 level of archive files). Note that this option can increase the scanning time.

Upload Options

Below are the required options to use when you want to automatically upload scan results to the Highlight platform. Then, the option “–skipUpload” should be removed.

--login (mandatory)
 Login of an active Highlight user.
--password (mandatory)
 Password for the login indicated above.
--basicAuth
Alternatively to login/password, you can use this option to pass your credentials encoded in base64
--tokenAuth
Alternatively to Basic authentication, you can use this option to pass your OAuth token

--companyId (mandatory) Identifyer for the company (can be retrieved from the Highlight portal, it is the ID displayed in the url when clicking on the top-level domain in "MANAGE PORTFOLIO > MANAGE APPLICATIONS" from the menu).
--applicationId (mandatory)
 Identifyer for the application (can be retried from the Highlight portal, it is the ID displayed in the url when editing an application in "MANAGE PORTFOLIO > MANAGE APPLICATIONS").
--serverUrl (mandatory)
 The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. 'https://rpa.casthighlight.com'
--snapshotDatetime (optional)
 Time (epoch) to use for uploaded application snapshot.
--snapshotLabel (optional) The application snapshot label you want to display on the application result page on the portal (e.g. release version, build number, etc.).
--uploadZipFile (optional) This option will upload a result Zip file without running a code scan (the --workingDir option must be present).

Log files

The log file (HLAutomation.log) is produced after the command line is run and is stored in the working directory (–workingDir) that has been set in the options.

Requirements

For Windows
Java 11 and above is required.

Prior using the command line, it is preferable to install the Highlight Local Agent on your machine, in order to embed the required Perl binaries. Alternatively, you can install the required Perl distribution (Strawberry) if you don’t want to install the Local Agent. The Local Agent can be downloaded from your Highlight user account, in the APPLICATION SCANS page.

 

For Linux Debian/Ubuntu

The following components must be installed on your machine: Perl 5 (tested on Strawberry 5.12.3.0), libjson-perl, libxml-libxml-perl

$>perl -v
on debian/ubuntu systems
$>dpkg –get-selections libxml-libxml-perl libjson-perl

Java 11 and above
$>java -version

 

For Linux – RHEL/CENTOS based systems

Install the libraries: perl-XML-LibXML, perl-JSON and perl-Digest-SHA

$>yum -y install perl-Digest-SHA
$>yum -y install perl-JSON
$>yum -y install perl-XML-LibXML
$>yum -y install perl-Time-HiRes
$>yum -y install perl-Math-BigInt

 

For MacOS

For MacOS users, using our Docker image is recommended to run the command line as a container.

$>perl -v

$>cpan install XML::LibXML
$>cpan install JSON

 

For SSO/SAML users

SSO/SAML users must use user tokens to authenticate and upload result files to the CAST Highlight platform. See how the feature works.

Troubleshooting
CLI error codes


0
– Ok

1 – Command Line general failure
2 – Command Line options parse error
3 – Command Line techno discovery error
4 – Command Line analysis error
5 – Command Line result upload error
6 – Command Line source dir or output dir validation error
7 – Command Line result saving to zip file error
8 – Command Line upload from zip file error

 

CLI logs

Running the command line will create an HLAutomation.log that contains traces of a scan. This file is located in the specificed working directory (–workingDir).

 

Generated Code exclusion

By default, the command line excludes files that are known as generated code. These files are following the patterns below. In case you would want to scan these files, use the –allowGeneratedCode option.

*.designer.vb, *.designer.cs, *.reference.cs, *.reference.vb

Integration Templates & Tutorials

Feature Focus: Proprietary Component Governance

Software Composition Analysis (SCA) has become an essential part of modern software development, with a primary focus on analyzing and managing the risks associated with open-source software (OSS) components. However, the importance of proprietary components in software applications cannot be overlooked. These homegrown components are the backbone of many software systems and contribute significantly to a business as they are not open-source and publicly available, by definition. In this tutorial, we will explain the significance of governing proprietary components and how CAST Highlight’s SCA capabilities help you address this requirement.

Feature Focus: Green Effort Estimate

This article explains how Green Effort estimate is calculated and how to customize the effort profile.

Feature Focus: Green Impact score calculation

CAST Highlight introduced a new indicator for estimating the green impact of a software application. This article explains how the Green Impact score is calculated in CAST Highlight.

Feature Focus: CloudReady Application Advisor

The CloudReady Application Advisor provides automated Cloud migration insights and recommendations based on a specific migration scenario in just a few clicks. See in this article how the feature works.

Feature Focus: Event logs

As a Portfolio Manager of CAST Highlight, you may need to know and understand the different actions which occurred in the portfolio. The Audit Logs feature allows you to list main user events such as application creation, change in the User Token configuration, etc. See in this article how this feature works.

Feature Focus: How to use Command Line’s .properties file

To simplify use of the CAST Highlight command line and scale code scan deployments across CI/CD pipelines, you can use the .properties files. This tutorial explains how.

Feature Focus: Analysis Snapshot Comparison

Understand the present of your applications by looking through the lens of the past. CAST Highlight now allows users to compare key metrics and KPIs between different analysis snapshots of a scanned application. See how to use the feature in this article.

Feature Focus: Portfolio Management Optimization

CAST Highlight’s product team has entirely revisited the Portfolio Management screen to increase performance and allow portfolio managers to do more faster. This article explains how the new screen works.