Contrast Scan local engine
The Contrast Scan local engine lets you scan your application using a Java JAR file instead of the Contrast CLI or the Contrast web interface. When a scan completes successfully, the Scan local engine uploads the results to the Contrast platform where you can view them. The uploaded files include:
Scan results in Static Analysis Results Format (SARIF) in a
JSONfile.Output from the scan in a
LOGfile.
This method of scanning is useful if you want to scan files locally without uploading them to the Contrast platform.
Supported platforms
The Scan local engine is supported for Linux systems.
Proxy server settings for local scans
For security purposes, you might want to use a proxy server for communication between the local scan engine and the Contrast platform. Use the following environment variables to enable a proxy server when you run a local scan:
Variable | Description |
|---|---|
CONTRAST__API__PROXY__ENABLE | Enables proxy settings. |
CONTRAST__API__PROXY__URL | Required. The URL for the proxy server (for example, |
CONTRAST__API__PROXY__TYPE | Required. The proxy server type (for example, BASIC) |
CONTRAST__API__PROXY__USERNAME | Optional. Username for the proxy server |
CONTRAST__API__PROXY__PASSWORD | Optional. Password for the proxy server |
Package preparation for local scans
Consider these best practices when you prepare to run a local scan:
JAR or WAR files: Specify the binary file to be scanned.
Source code scanning: Place the source code you want to scan in a folder and not in a ZIP file.
There is no limit to the size of this folder for the local scanner. However some large source code repos may require more memory or a longer time to execute. Use the memory and timeout options to manage these situations.
Multi-JAR scanning: Specify a ZIP file that contains multiple JAR files. Place these files in the root of the ZIP file.
There is no limit to the size of the JAR files in the ZIP file.
Scan process
To use the Scan local engine:
Contact Contrast Support to get the latest local engine application.
Decide if you want to use a proxy server for uploading results.
View results in the Contrast web interface.