Configuration commands (Windows)

Use configuration commands to prepare your files for scanning.

appscan prepare

Syntax:

appscan prepare -c <configuration_file> -d <save_path> -jdk <jdk_path> -l <log_path> -n <file_name> -nc, --noConfigFile -oso,--openSourceOnly

Description:

Generate an IRX file.

Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.

Optional flags/settings:

  • -c: This option is used for configuring a scan.
  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.
  • -dr, --dryrun: Specify -dr or --dryrun to discover and validate scan targets, but not generate an .irx file.
  • -jdk: Specify -jdk <jdk_path> to indicate the path to your JDK installation to be used in lieu of the default JDK 17. If using a config file (-c <configuration_file>) and the jdk_path attribute is used, the value specified in the config file takes precedence.
  • -l: Specify -l <log_path>, where <log_path> is the directory that you want to save the log files to.
  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.
  • -nc, --noConfigFiles: Disables the processing of configuration files for Software Composition Analysis (SCA).
  • -oso, --openSourceOnly: Specify -oso or -openSourceOnly to look only for known vulnerabilities in SCA packages. When -oso or --openSourceOnly is specified, AppScan on Cloud does not perform static analysis on the package.
    Note: When a user has an Open Source license, SCA analysis is part of a static scan by default. This option limits analysis to SCA vulnerabilities. Users must have an Open Source license to take advantage of SCA-only analysis.
Tip: For all commands, options can be used in any order.

Examples:

To generate an IRX file that uses this configuration file, c:\my_config_files\my_config.xml - and that saves the IRX file to c:\my_irx_files\my_scan.irx - issue this command:

appscan prepare -c c:\my_config_files\my_config.xml -d c:\my_irx_files -n my_scan.irx

appscan prepare_sca

Syntax:

appscan prepare_sca -d <save_path> -l <log_path> -n <file_name> -X, -debug -container <container> -image <image>

Description:

Generate an IRX file against a Docker image for running Software Composition Analysis (SCA). When run without parameters, this command is equivalent to running appscan prepare -oso.
Important: Docker CLI tools must be installed and configured on the system to scan Docker containers and images.

Optional flags/settings:

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.
  • -l: Specify -l <log_path>, where <log_path> is the directory that you want to save the log files to.
  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.
  • -X,--debug: Specify -X or --debug to run the entire command in debug mode. When run in debug mode, more log files are generated for troubleshooting.
  • -container: Specify -container <container> where <container> is a Docker container to analyze. The value may be a container name, container digest, or the path to a local archive.
  • -image: Specify -image <image> where <image> is a Docker image to analyze. The value may be an image name, image digest, or the path to a local archive.
Tip: For all commands, options can be used in any order.

appscan get_pubkey

Syntax:

appscan get_pubkey -d <save_path>

Description:

Download the public encryption key for use on a computer that is not connected to the Internet.

If you are generating an IRX file from a computer that is connected to the Internet, this command is not required since an encryption key is automatically downloaded when you issue the prepare command. If an encryption key is already present on the computer, it is updated, if necessary, when you issue the prepare command.

However, if you are generating an IRX file from a computer that is not connected to the Internet, you can download the encryption key by using this command. You can then copy the encryption key to the computer that is not connected to the Internet for use when you generate the IRX file. To use the encryption key on that computer, you must preserve the rsa.pub file name and place the file in the config directory of the extracted SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility).

Note: The encryption key that is used must be current. If an IRX file is generated with an outdated encryption key, the IRX file is rejected when it is uploaded. If your computer is connected to the Internet, issue the prepare command again to automatically update the encryption key. If your computer is not connected to the Internet, you need to use the get_pubkey command.

Optional flags/settings:

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the encryption key to. If this option is not specified, the key is saved to the config directory of the extracted SAClientUtil_<version>_<os>.zip file.