A remote scan is an alternate way to scan with no UI intervention. This can be done using a continuous integration toolchain, or manually via the command line. The results are then published on the UI automatically.
For languages such as C or C++, a strict mode remote scan can help to increase the accuracy of the scan.
Note: The repository type must be set to remote
How to download embold-scanner from Embold?
Download embold-scanner from your Embold Account’s section > Releases tab > CLI. There will be one file with names similar to the following: ‘browserstack-codequality-scanner-archive.tar.gz’.
Remote scan using embold-scanner
- Download the Embold CLI tool from control panel. Extract that Embold CLI tool and make sure it has all the executable permissions.
- Login to Embold server. Now create a Project in Embold. Read more about creating a new project here.
- Generate the Embold Access Token (EAT) for remote scan. Read more here for generating EAT.
- Create and link a remote repository with the language you want to scan. Download the repository configuration (repository-configuration.json) for this new remote repository added.
Commands
embold-scanner– This command is applicable for Linux machines.embold-scanner.bat– This command is applicable for Windows machines.
Sub-commands
- analyse – Scans the local repository and publishes the scan results to the Embold UI.
- local-analyse – Scans the repository locally and store the results in csv without publishing to the Embold UI.
- gated-commit – Use to scan on changes files before the commit is performed.
Usage: embold-scanner analyse [-am <arg>] [-b <arg>] [-c <arg>] [-d <arg>] [-h] [-l <arg>] [-r <arg>] [-s <arg>] [-sh <arg>] [-si <arg>] [-sp <arg>] [-ssu] -t <arg> -u <arg> [-vd <arg>] [-rn <arg>] [-ci <arg>] [-vd <arg>] [-sd <arg>] [-v]
Example
- Linux:
embold-scanner analyse -c <./repository configuration.json> -u <Embold URL> -t <Embold TOKEN> [-b <BASE_DIR>] [-d <DATA_DIR>] [-s <snapshot name>] [-r <REPO UID>] [-sh <CORONA PACKAGE PATH>] [-l <LOG_FOLDER>] - Windows :
embold-scanner.bat analyse -c <./repository configuration.json> -u <Embold URL> -t <Embold TOKEN>[-b <BASE_DIR>] [-d <DATA_DIR>][-s <snapshot name>] [-r <REPO UID>] [-sh <CORONA PACKAGE PATH>] [-l <LOG_FOLDER>]
Options
| -t,–token <arg> | Embold Token |
| -u,–url <arg> | Embold URL |
| -am,–analysis-mode <arg> | Analysis Mode |
| -b,–repository-base-dir <arg> | Scan will happen for this directory |
| -c,–scan-config-file <arg> | Scan settings YAML/JSON file path |
| -d,–data-dir <arg> | Data directory for temporary use |
| -h,–help | Help |
| -l,–scanner-logs <arg> | Embold scanner logs directory path |
| -r,–repository-uid <arg> | The Data will be published in this Repository in Embold UI |
| -s,–snapshot-label <arg> | This label identifies the snapshot which will be published on Embold UI after successful scan. The value can also be an environment variable |
| -sh,–scanner-home <arg> | Embold scanner home path |
| -si,–session-id <arg> | Session ID |
| -sp,–scan-profile <arg> | Scan profile xml file path |
| -ssu,–skip-source-upload | Skip Source Upload |
| -rn,–revision-number <arg> | SCM Revision NUmber |
| -ci,–component-uid <arg> | SCM Component ID |
| -sd,–snapshot-id <arg> | Snapshot id |
| -v,–verbose | Enable verbose mode |
| -vd,–vcs_details <arg> | vcs details |
After a successful remote scan, the below results will be displayed to the user.
Prerequisites
- File path use for -sh(scanner home), -l (scanner-logs) and -d(data directory) should have read write permission.
- The following linters/tools must be installed on the remote machine.
| Language | Linter | version |
| CPP | cppcheck | 2.8 |
| C_SHARP | microsoft_security_codescan | 5.6.2 |
| TYPESCRIPT | eslint | v7.32.0 |
| tslint | 5.9.1 | |
| JAVASCRIPT | jshint | 2.9.5 |
| eslint | v7.32.0 | |
| GO | staticcheck | v0.2.1 |
| gosec | 2.8.1 | |
| gometalinter | v2.0.0 | |
| PYTHON | bandit | 1.7.0 |
| pylint | 2.11.1 | |
| dlint | 0.11.0 | |
| PHP | phpcs | 3.2.3 |
| phpmd | 2.6.1 | |
| RUBY | brakeman | 5.1.1 |
| KOTLIN | detekt | 1.18.1 |
| mobsfscan | 0.1.0 | |
| SOLIDITY | solhint | 3.3.6 |
| SWIFT | swiftlint | 0.32.0 |
| APEX | pmd | 6.39.0 |
| HTML | htmlhint | 0.15.1 |
| SQL | sqlcheck | 1 |
| CSS | stylelint | 14.15.1 |
| INFRASTRUCTURE | checkov | 2.0.654 |
| YAML | kubesec | 2.11.5 |
| LUA | luacheck | 0.23.0 |
Prerequisites to run remotescan for Swift
- Install xcode on your macOS
- Run below command and the output should be similar to the below screenshot
xcode-select -p
- If your output is not as above screenshot then run the below command
sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
- Reverify the output of following command
xcode-select -p
- your final output should be as below screenshot
- Now run the remotescan
Configuration for https enabled Embold
- Import the same set of certificates used for Embold in default jre keystore on standalone Corona machine.
- Default jre path: Java/jre1.8.0_171/lib/security.
- Below is the command:
“keytool -import -trustcacerts -alias gamma -file “ ”-keystore cacerts”