Scans
Contrast Scan is a static application security testing (SAST) tool that lets you quickly scan code to identify vulnerabilities in early stages of development.
You can use these types of scans:
Hosted or CLI: Use this type of scan if you are able to upload code to the Contrast platform. To start a scan, use either the Contrast web interface or the Contrast CLI.
This scan type supports Java binary and source code scanning.
Contrast Scan local engine: Use this type of scan for artifacts on your local system. Contrast receives the results but you don't upload local code. To use the local engine, request it from Contrast support.
The Scan local engine supports Java binary scanning and source code scanning.
Depending on the type of code you submit for scanning, Contrast Scan uses one of these scan engines:
Java binary: Scans Java JAR or WAR files.
The Java binary scan supports only web applications (applications that handle HTTP traffic).
This type of scan has a more narrow focus than a source code scan. It looks for data that comes from an untrusted source, such as user input and gets to a dangerous sink, like an SQL statement, without sanitization. The scan doesn't report on code that is not security relevant. This type of scan uses Scan policies (for example: the code contains dangerous potential sink calls or the calls or entry points allow untrusted data to enter the application) to find security-relevant code.
Source code Scans artifacts for most languages.
This type of scan has a wider focus than a Java binary scan. It searches the code for potential vulnerabilities based on a rule set. The results are typically less accurate than a Java binary scan.
Scan tasks
In Contrast Scan, you can: