For a specific application, user wants to scan the docker Image and application source code in a single Highlight CLI job,. Also user wants to keep the docker image findings as well as source code findings in a single snapshot.
Details
If both scans are merged within the same result, it would not be easy to mitigate findings, so creating two apps is recommended.
However, scan can be done with the CLI options (--appendResult, --skipSubmit). It is recommend to do two scans using the --skipSubmit and --appendResult options.
The --appendResult option can be used to upload multiple results from the same application (e.g., you scanned a part on day 1, then scanned the second part on day 2, etc.). In this specific case, you don't want to submit results (calculate scores) on part 1 only, you want to append all result zip files and finally submit results once all the parts are uploaded.
First folder scan with --skipSubmit
Second scan with --appendResult
See this article for more information on these flags: CAST HIGHLIGHT - CLI - Can --appendResult and --skipSubmit options be used together in a command?
NB: As docker images are used for packaging and deploying applications, the vast number of open source components a docker image contains may represent a significant risk. By including the options for scanning a docker image in Highlight CLI, users can scan the contents of the docker image, to identify potential risks and vulnerabilities of the docker image. Please check the requirements for Scanning Docker Images
Related Article
CAST HIGHLIGHT - Analyzer - Can Zip files be used for Analysis ?
Ticket
42690
Comments