Integrate scans with builds

The Contrast CLI provides commands that let you start a scan without using the Contrast web interface.

This topic provides instructions for using the Contrast CLI for static scans.

Before you begin
  • Install the Contrast CLI.

  • In Contrast, find the API key, the authorization header, and organization ID:

    1. Under the user menu, select User settings > Profile.

    2. Record the required details.

  • Ensure that a WAR or JAR file is available in an accessible location.

Steps
  1. In Contrast, create a scan project .

  2. Use these CLI commands:

    contrast-cli
    --api_key <APIKey> \
    --authorization <AuthorizationKey> \
    --organization_id <OrganizationId> \
    --host <ContrastHostURL \
    --language <string> \
    --project_id <ProjectID> \
    --scan <FileToBeScanned>
    • In the --host command, replace <ContrastHostURL with the name or URL of the host that is running the Contrast web application.

    • In the --language command, replace <string> with Java, the currently supported language for scans.

    • In the --project_id command, replace <ProjectID> with the ID associated with the scan project. To find the ID, select a scan project and locate the last number in the URL.

      scanProjectId.png
    • In the --scan command, replace <FileToBeScanned> with the path of the WAR or JAR file that you want to upload for scanning.

    If the file upload is successful, the CLI displays a success message.

  3. Analyze scan results in Contrast.

YAML example

This example shows how to use the CLI commands in a YAML file.

cli:
    api_key: wREDACTEDf
    authorization: Sm9ubnkREDACTEDha
    organization_id: d89dREDACTEDbb
    host: myserver.com/Contrast
    language: JAVA
    project_id: adc12REDACTED364
    scan: myfile.jar

Integration with Maven

To integrate Contrast Scan in to your project's Maven build, use the Contrast Maven plugin.