CAST Highlight’s Docker Image for Code Scans

How to use our Docker image

Get Docker
First, you’ll need Docker installed on your machine. Depending on your OS, you can get it from here: In order to check everything you need is installed, simply run this command:


> docker version

This should return something like this:

Client: Docker Engine – Community
Version: 19.03.5
API version: 1.40
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:22:37 2019
OS/Arch: windows/amd64
Experimental: false

Server: Docker Engine – Community
Version: 19.03.5
API version: 1.40 (minimum version 1.12)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:29:19 2019
OS/Arch: linux/amd64
Experimental: false
Version: v1.2.10
GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339
Version: 1.0.0-rc8+dev
GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
Version: 0.18.0
GitCommit: fec3683

Pull the CLI image
The official repository for the Command Line is available at You can just pull the latest image by running the Docker command below:


> docker pull casthighlight/cli

Once the image is pulled, you should get:

Using default tag: latest
latest: Pulling from casthighlight/cli
Digest: sha256:719ff691ea35f351822f0c20eec7659fb781c9fbefc7dd8c5ac8018937beede5
Status: Image is up to date for casthighlight/cli:latest

Run the container
Running the containerized Command Line is very similar to what you already know with the command line. The difference is that the options to locate specific installation paths like the jar and the perlAnalyzers scripts directory are no longer relevant.

Run a container with no argument to get the help output:

> docker run --rm casthighlight/cli

The --rm option tells docker to remove the container once it has finished its job.

You should get the following output from the Command Line through the container:

User: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
WARN: container is run as root! Consider using docker run –user $UID:$GID to stick to current user
+ java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -jar /opt/hlt/HighlightAutomation.jar –analyzerDir /opt/hlt/perl –help
Highlight Command Line
Version : 5.5.8

Option Description
—— ———–
--applicationId <Integer> Identification for application
--tokenAuth Use this option to pass your OAuth
--serverUrl The Highlight server instance where the results has to be uploaded (user credentials have to work on this server). E.g. ‘’
--companyId <Integer> Identification for company

--ignoreDirectories List of directories name to ignore. Separated by ,
--ignoreFiles List of regular expression to ignore file names. Separated by ,
--ignorePaths Regular exepression to ignore paths.
--keywordScan List of xml files describing keywords to scan. Separated by , Logfile name.
--login Login to Highlight portal
--password Password for indicated login
--printTechnos Print available technos
--skipUpload Only CSV generation. No upload performed
--snapshotDatetime <Long> Time (epoch) to use for uploaded application snapshot
--snapshotLabel Label to use for uploaded application snapshot
--sourceDir Directory containing source.
--technologies Technology present in your sources. Separated by , and ordered by preferences
--workingDir Working directory, will be used as root directory. Highlight temporary directory
(HLTemporary) will be created inside it.

Finally, to run a scan of the current directory and upload the results to the CAST Highlight portal, just run:

> docker run --user $UID -v $(pwd):/sourceDir -v /tmp:/workingDir casthighlight/cli  --sourceDir  /sourceDir --workingDir /workingDir --applicationId 33074 --companyId 6515 --login --password ****

This is equivalent to run the following with the Command Line distribution (assuming the distribution is installed in /opt/hl):

java -jar /opt/hlt/HighlightAutomation.jar --analyzerDir /opt/hlt/perl --sourceDir $(pwd) --workingDir /tmp --applicationId 33074 --companyId 6515 --login --password ****

What both commands do is to scan the current directory, write logs to /tmp and upload the result to the right application on the portal. The difference is how you specify the --sourceDir and --workingDir options. With docker you have to map both the sourceDir and workingDir paths on the host to their respective locations in the container.

This gives the container read and write permissions to your current and /tmp directories. A good practice is to run containers with the current user’s ID, using the --user docker option, instead of the default root id.

Enjoy your scans!