Skip to main content


Contrast Scan is a static application security testing (SAST) tool that makes it easy for you to find and remediate vulnerabilities. It is a valuable tool to use during the development phase of an application. Licensed, hosted customers have access to this feature.

To scan an application, you upload binary packages to a Contrast secure environment. After you upload the code, you start the scan. The scan observes the data flows in the source code and identifies vulnerabilities that could allow malicious attacks. Some examples of these malicious attacks include SQL injections, command injections, and server-side injections.

The scan results identify vulnerabilities in custom code. After fixing these issues, running the scan again verifies that the code changes removed one or more vulnerabilities.

No open-source code or libraries are included in the scan.

Image shows the Scan workflow


  • Ability to create scan groups that enable you to track results of multiple scans

  • Scan settings that let you change the name of a scans

  • Starting or stopping scans

  • Views of identified vulnerability details

  • Monitoring of scan progress and history

  • Assignment of status to vulnerability records

  • Integration of scanning into your CI/CD pipeline

  • Information about risk and approaches for fixing each type of vulnerability

See also

Scan supported languages