Use static analysis to scan source code for security vulnerabilities. To accomplish this, download a small client utility and use its command line interface (CLI) perform security analysis on all supported languages. The client utility also contains a Maven plugin that can be used to scan Java projects. Static analysis plug-ins for
Eclipse,
IntelliJ IDEA, and
Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio.
Before you begin
To learn about all of the languages that are supported for static analysis scans, see
Language support.
Procedure
To scan your code:
- In the What type of app are you scanning today? screen, select
Desktop or .
- Download and set up the Static Analyzer Client Utility, as described in Setting up the Static Analyzer Client Utility.
- Scan or generate an IRX
file for your code.
- To generate an IRX
file by using the CLI, follow the instructions in Generating an IRX file by using the command line interface (CLI). You can scan
all supported languages from the CLI.
- To generate an IRX
file for a Maven project, follow the instructions in Generating an IRX file for a Maven project.
- To scan source code in Eclipse, IntelliJ IDEA, or Visual Studio, follow the instructions in
Scanning in integrated development environments. In Eclipse and IntelliJ IDEA, you can scan Java projects - and
in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
- If you generated an IRX
file using the CLI or Maven commands, drag and drop the IRX
file - or browse for it by choosing Select file.
- Enter a name for the scan - or use the name that is generated.
- If you would like to receive an email when the scan is complete, select the
check box.
- Click Scan.