Done by: Application Developer
Time needed: 15 minutes
What you get: Security tools used during your build/package phase can find security early on a standard build or pull request.
The dependency scanner operates locally, leveraging cloud data for lookups. It identifies vulnerable components and creates a software bill of materials (SBOM).
On a build server, run the following command:
npm install -g @contrast/contrast-cli
This step will give you a repeatable job to locate vulnerable dependencies.
Locate the continuous integration job that compiles and packages your application. For trial use, you may also locate the build script (pom.xml or build.gradle) on your developer system.
Add a step to call the scanner. This will also invoke your build tool's compile step.
contrast-cli --yamlPath scan.yaml
Look for _ in the output to ensure completion. Set up your static code scanner Static code scanning operates in the cloud, locating vulnerabilities for custom code, dependencies, and their interactions. It reports vulnerabilities along relevant code paths to guide understanding and fixes.
Identify your project as described in the Create a scan project document. Scanning your code (periodic automation) Submit your JAR or WAR file as described in the Start a Scan document. Place your automation steps into the appropriate CI/CD job that packages your JAR or WAR file.