Skip to main content

Scans

Contrast Scan is a static application security testing (SAST) tool that lets you quickly scan code to identify vulnerabilities in early stages of development.

You can use these scan methods:

  • Hosted: Use this scan method if you are able to upload code to the Contrast platform. To start a scan, use the Contrast web interface Scan results are posted in the Contrast web interface

  • CLI: Use this scan method if you prefer to use CLI commands to upload code to the Contrast platform. Scan results are posted in the Contrast web interface or an integration such as GitHub or Jenkins.

  • Contrast Scan local engine: Use this scan method for code on your local system. The Contrast platform receives the results but you don't upload local code. Scan results are posted in the Contrast web interface or in an integration such as GitHub or Jenkins.

Depending on the type of code you submit for scanning, Contrast Scan uses one of these scan engines:

  • Java binary: Scans Java JAR or WAR files.

    The Java binary scan supports only web applications (applications that handle HTTP traffic).

    This type of scan has a more narrow focus than a source code scan. It looks for data that comes from an untrusted source, such as user input and gets to a dangerous sink, like an SQL statement, without sanitization. The scan doesn't report on code that is not security relevant. This type of scan uses Scan policies (for example: the code contains dangerous potential sink calls or the calls or entry points allow untrusted data to enter the application) to find security-relevant code.

  • Source code Scans artifacts for most languages.

    This type of scan has a wider focus than a Java binary scan. It searches the code for potential vulnerabilities based on a rule set. The results are typically less accurate than a Java binary scan.

Scan feature comparison

This table lists the features that each scan method supports.

Features

Scan local engine

Contrast hosted platform

CLI

Scan types

Multi-language source code scan

icon-check.svg

icon-check.svg

icon-check.svg

Java binary

icon-check.svg

icon-check.svg

icon-check.svg

Upload source code to Contrast platform

icon-close.svg

icon-check.svg

icon-check.svg

File size

Max file size =1GB

icon-close.svg

icon-check.svg

icon-check.svg

Integrations

SCM integration with GitHub action

icon-check.svg

icon-close.svg

icon-check.svg

Pipeline integration (for example, Jenkins)

icon-check.svg

icon-close.svg

icon-check.svg

Branch support

icon-check.svg

icon-close.svg

icon-close.svg

Fail builds

icon-check.svg

icon-close.svg

icon-check.svg

Customizations

Timeout settings

icon-check.svg

icon-close.svg

icon-close.svg

Memory settings

icon-check.svg

icon-close.svg

icon-close.svg

Resource group assignments

icon-check.svg

icon-check.svg

icon-check.svg

File exclusions

icon-check.svg

icon-close.svg

icon-close.svg

Scan tasks

In Contrast Scan, you can:

See also

Scan supported languages