Executing the Code Scan Agent

Linux Executable-based Execution

Case 1: Executing the AppViewX Code Scan Agent via the CI/CD Pipeline

To execute the AppViewX Code Scan Agent in the CI/CD pipeline, execute the following code:
./code-scan-agent \
  --input-folder "/path/to/repository" \
  --output-folder "/path/to/output-folder" \
  --config "/path/to/config.ini" \
  --key "/path/to/secret.key" \
  --log-dir "/path/to/log-directory"
Here:
  • /path/to/repository: absolute path of the input folder
  • /path/to/output folder: absolute path of the output folder
  • /path/to/config.ini: absolute path of the config.ini file
  • /path/to/secret.key: absolute path of the key file that will be used to decrypt the config file
  • /path/to/log-directory: absolute path of the log directory where logs needed to be stored

Case 2: Executing the AppViewX Code Scan Agent in the Local File System

Execute the following command in the server where the AppViewX Code Scan Agent and the configuration file are available:
./code-scan-agent --config /path/to/config.ini --key /path/to/secret.key
Here:
  • /path/to/config.ini: absolute path of the config.ini file
  • /path/to/secret.key: absolute path of the key file that will be used to decrypt the config file

Output (for both, Case 1 and Case 2)

The code scan agent will begin scanning the code in the input folder specified.
The CycloneDX CBOM output will be generated in the specified output folder. Along with CBOM, a SARIF report will be generated while running in CICD pipelines, which can be integrated with security dashboards like GitHub.
After the scan is completed, if your response to the question prompt Do you wish to send reports to AppViewX? was Yes, the scan results will be automatically uploaded to the AppViewX platform. These reports are displayed on the Code Scan dashboard and in the Code Scan Inventory in the Quantum Trust Hub.

Docker-based Agent Execution

Case 1: Executing the AppViewX Code Scan Agent via the CI/CD Pipeline

To execute the AppViewX Code Scan Agent in the CI/CD pipeline, execute the following code:
sudo docker run --rm \
  -v "/path/to/input-folder:/input-folder-name" \
  -v "/path/to/output-folder:/output-folder" \
  -v "/path/to/config.ini:/config.ini" \
  -v "/path/to/secret.key:/secret.key" \
  -v "/path/to/log folder:/logs" \
  code-scan-agent:v1.0.0 \
  --input-folder /input-folder-name \
  --output-folder /output-folder \
  --log-dir /logs \
  --config /config.ini \
  --key /secret.key
Here:
  • /path/to/input-folder: absolute path of the input folder in which code scanning needs to be done
  • /path/to/output-folder: absolute path of the output folder to store the scan results
  • /path/to/config.ini: absolute path of the config.ini file,
  • /path/to/secret.key: absolute path of the key file that will be used to decrypt the config file
  • /path/to/log-folder: absolute path of the log directory where logs must be stored

Case 2: Executing the Code Scan Agent in the Local File System

To execute the Docker-based AppViewX Code Scan Agent in your local file system, execute the following code:
sudo docker run --rm \
  -v "/path/to/input-folder:/input-folder-name" \
  -v "/path/to/output-folder:/output-folder" \
  -v "/path/to/config.ini:/config.ini" \
  -v "/path/to/secret.key:/secret.key" \
  -v "/path/to/log-folder:/logs" \
  code-scan-agent:v1.0.0 \
  --log-dir /logs \
  --key /secret.key \
  --config /config.ini
Here:
  • /path/to/input-folder: absolute path of the input folder in which code scanning needs to be done
  • /path/to/output-folder: absolute path of the output folder to store the scan results
  • /path/to/config.ini: absolute path of the config.ini file,
  • /path/to/secret.key: absolute path of the key file that will be used to decrypt the config file
  • /path/to/log-folder: absolute path of the log directory where logs must be stored
Tip: It is advised that you mount the input folder path with same name as the repository. For example, if the repository name is repo_1 and the path is /home/User/repo_1, then to mount the input folder, execute the command: -v “/home/user/repo_1:/repo_1”.

This ensures a valid relative path of the filePath from the repository name is shown in the inventory instead of showing the absolute path of the runner machine.

Output (for both, Case 1 and Case 2)

The code scan agent will begin scanning the code in the input folder mounted.
The CycloneDX CBOM output will be generated in the mentioned output folder. Along with CBOM, a SARIF report will be generated while running in CICD pipelines, which can be integrated with security dashboards like GitHub.
After the scan is completed, if your response to the question prompt Do you wish to send reports to AppViewX? was Yes, the scan results will be automatically uploaded to the AppViewX platform. These reports are displayed on the Code Scan dashboard and in the Code Scan Inventory in the Quantum Trust Hub.