Skip to main content

Reduce container startup time

When you start your instrumented application, Contrast applies source transformations to both your application and the dependency code your application loads. This code rewriting increases startup time when running applications with the agent.

Starting with version 4.X, the Node.js agent includes a command line utility you can use to pre-compile applications before starting them. When started with Contrast, the pre-compiled application loads the rewritten files from disk and significantly improves startup time.

Use the rewriter

  1. In the Node.js agent's configuration file (contrast_security.yaml):

    • Enable rewrite caching and specify the path of the cache location.

    • Specify the logging level.


      You can override the YAML configuration settings by invoking the rewriter with the CLI arguments or environment variables. For example, to prevent any logging to stdout or to disk you could use these overrides:

      npx -p @contrast/agent --no contrast-transpile index.js --agent.logger.stdout false --agent.logger.path /dev/null;

      It is important to use the -p @contrast/agent --no options to ensure the npx command is the one from Contrast Security and not from a nefarious person attempting a supply chain attack.

      • -p is the shorthand for --package, which tells npx to only use the command in the @contrast/agent package.

      • --no is the new option name for the deprecated --no-install option that tells npx to not attempt an install from npm if the command binary is not found.

        The expectation is that the Contrast agent has already been correctly installed along with the npx binaries before attempting to run the npx command.

    • You must also explicitly enable Protect or Assess.

    For example:

        level: info
        path: ./node-contrast
          enable: true 
          path: ./rewrite_cache
      enable: true
      enable: false
  2. Invoke the executable and provide it with your application's entry point (for example, index.js). For example:

    npx -p @contrast/agent --no contrast-transpile index.js --agent.logger.level trace;
    trace: 2021-07-12T18:31:15.128Z 2934603 contrast:rewrite - successfully rewrote code for /path/to/app/index.js
    trace: 2021-07-12T18:31:15.186Z 2934603 contrast:rewrite - successfully rewrote code for /path/to/app/node_modules/koa/lib/application.js
    trace: 2021-07-12T18:31:15.251Z 2934603 contrast:rewrite - successfully rewrote code for /path/to/app/node_modules/koa-router/lib/router.js
    trace: 2021-07-12T18:31:15.314Z 2934603 contrast:rewrite - successfully rewrote code for /path/to/app/node_modules/@koa/router/lib/router.js
    info: 2021-07-12T18:31:41.608Z 2946030 contrast:cli-rewriter - rewriting complete [26.625s]


    The Node.js agent rewriter CLI currently only supports pre-compiling applications to run with Assess enabled. The agent transpiles code differently depending on whether Protect or Assess are enabled. Protect requires fewer source transformations than Assess and does not cause the same startup delays.

  3. Once rewriting completes, start your application with Contrast as you usually would. (for example, node -r @contrast/agent index.js).