Skip to main content

Welcome to Contrast

Contrast supports real-time application security through all phases of your software development life cycle (SDLC).

Take a walk through an example of how you can use Contrast in your environment.

If you want to...

Contrast offers...

Analyze your applications for security vulnerabilities during the development and test (QA) phases of your SDLC:

  • In the development phase: Get instant and accurate vulnerability feedback for applications and the libraries that they use.

    By exercising your application, you can simulate the routes in your application and, with the data from Contrast, ensure that you are checking in secure code.

  • In the test phase: Get assurance that applications are evaluated for security vulnerabilities as you apply manual or automated test cases or in a CI/CD pipeline.

  • In production: Get full visibility into attacks and defend applications from malicious exploitation in the production phase of your SDLC.

  • Agents Supports a variety of programming languages, frameworks, and container technologies that instrument your applications with sensors.

  • Contrast Assess: Uses tuneable detection rules to accurately find vulnerabilities. It provides details on how the issue was discovered, how to reproduce it, and how to fix it.

  • Scan: Identifies vulnerabilities in uploaded binary packages by performing a fast and efficient static scan.

  • Protect: Automatically identifies attacks and either monitors them or prevents them from being exploited in production. Protect discovers and blocks attacks from within the running application but can also integrate with Web Application Firewalls (WAF).

Analyze libraries that your applications use.

Contrast SCA: Offers visibility into security risks and legal issues introduced by open-source libraries used during applications at run time. It identifies vulnerabilities in open-source libraries. It also identifies if a current library is out-of-date and should be updated.

Find vulnerabilities in your code earlier in the SDLC and get easy-to-understand guidance on how to fix them.

View vulnerability data that includes suggestions on how to fix vulnerabilities that Assess, Scan, and SCA discover.

View an architecture diagram that provides an interactive view of where data and resources are shared within your organization and beyond it.

Flow maps provide a detailed diagram of your application, the layers of technologies within it, and the back-end systems to which it connects.

Integrate Contrast into your CI/CD pipeline.

A wide variety of integrations that let you to integrate Contrast actions and data into developer IDEs, build system, communication tools, and more.


Contrast provides a variety of options for customizing data access, data views, and data collection from applications that you've added to Contrast. Customization helps you to enhance your views of the data that Contrast provides.



Role-based access control

Access groups let you assign permissions and capabilities for specific users. You can assign different types of access, based on role, for each application associated with a group.

It is useful to plan a group strategy before you add applications to Contrast.

If you do not specify the group in the Contrast configuration file when you first add the the application to Contrast, you can only add it to a group from the Contrast web interface. If you want to add applications using a Contrast configuration file, you will need to delete the application and add it again to associate it with your access group.

Start by creating or adding a user or application (or both) to an existing group in the Contrast web interface.

Then, using a Contrast configuration file for each application, you can associate an application with an access group when you add the application to Contrast.

# application:

  # Add the name of the application group with which this
  # application should be associated in the Contrast UI.
  # group: NEEDS_TO_BE_SET

Custom filters

Contrast provides tag options that let you create customized filters. The benefit of creating custom filters is you can view data according to your specific needs, in addition to using the default filters.

You can create custom filters through the use of application metadata.

You can also apply tags to specific application data or vulnerability data in Contrast. After you tag an application or a vulnerability, you can use that tag as a filter on the Applications page or the Vulnerabilities page in the Contrast application.

Example: Application metadata

This example shows how to create free form fields in the Contrast web interface to request application metadata:

Field: managersInfo

Value:"John Doe"

Field: businessUnit

Value:"NodeGoat Group"

Field: officeLocation

Value:"New York City"

Example: Application tags

  • Appname: The name of a specific application.

  • Groupname: The name of an access group.

  • Environment: The environment in which you are testing the application (development, QA, or production).

  • Server Name: The name of the server hosting the application.

Example: Vulnerability tags

  • Build: A specific build number

  • Version: A specific release version

Custom data from applications

Session metadata lets you identify the source of vulnerabilities in your application.

When you add the necessary property to your agent configuration file, the agent reports this information along with the rest of the standard vulnerability data to the Contrast web interface for filtering.

If you change the values of metadata in the Contrast configuration file for the agent, you can filter the vulnerability data based on the different values. For example, if you change the values for Branch name or Version, you can filter data based on the different versions or branches.


In this example for a Java application, you add an entry in the line where you add your javaagent flag. In this example, you set the property contrast.application.session_metadata to a set of key-value pairs that identify a branch, a committer, and a repository.


Custom naming

You have the option of providing customized names for applications and servers that host the applications.

By default, a Contrast agent creates a name based on data it discovers in your code.

To specify a custom name, you can use an agent configuration file when you add the application to Contrast or set the name in the Contrast web interface after you add an application.

Next steps