Scans

Hosted: Use this scan method if you are able to upload code to the Contrast platform. To start a scan, use the Contrast web interface Scan results are posted in the Contrast web interface

CLI: Use this scan method if you prefer to use CLI commands to upload code to the Contrast platform. Scan results are posted in the Contrast web interface or an integration such as GitHub or Jenkins.

Contrast Scan local engine: Use this scan method for code on your local system. The Contrast platform receives the results but you don't upload local code. Scan results are posted in the Contrast web interface or in an integration such as GitHub or Jenkins.

Java binary: Scans Java JAR or WAR files.

The Java binary scan supports only web applications (applications that handle HTTP traffic).

This type of scan has a more narrow focus than a source code scan. It looks for data that comes from an untrusted source, such as user input and gets to a dangerous sink, like an SQL statement, without sanitization. The scan doesn't report on code that is not security relevant. This type of scan uses Scan policies (for example: the code contains dangerous potential sink calls or the calls or entry points allow untrusted data to enter the application) to find security-relevant code.

Source code Scans artifacts for most languages.

This type of scan has a wider focus than a Java binary scan. It searches the code for potential vulnerabilities based on a rule set. The results are typically less accurate than a Java binary scan.