Scan projects using the Conviso CLI
Introductionβ
Protect your code from security threats with our AST (Application Security Testing) using Conviso CLI.
The tool offers both Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools, which can be accessed through the Conviso Platform.
Usageβ
To trigger this function is very simple, one of the methods is to export the settings to be used by the CLI to environment variables. Below an example:
export CONVISO_API_KEY='your-api-key'
cd your_source_code_repository
conviso ast run
Or if you prefer to do it in a single command, the instructions below have the same effect:
conviso --api-key 'your-api-key' ast run \
--repository-dir 'your_source_code_repository_path'
Note: You need an API Key. Refer to the following documentation to know how to generate one here.
The identified vulnerabilities will be automatically associated with the Asset in Conviso Platform. Now you can use the Vulnerabilities resource to work on the correction flow.
Naming an assetβ
When using the Conviso AST, you have the flexibility to assign custom names to your assets on the Conviso Platform. By default, Conviso AST utilizes the repository name as the asset name. However, you may prefer to use a custom name for better organization or clarity.
To set a custom name for your asset, run the command like the following:
conviso ast run --asset-name 'your custom asset name'
This will work on SCA and SAST too:
conviso sca run --asset-name 'your custom asset name'
and
conviso sast run --asset-name 'your custom asset name'
Auto closing vulnerabilitiesβ
We've developed an experimental feature for automatically closing vulnerabilities in the Conviso Platform. This functionality is currently in the testing phase. If you're interested in trying it out and providing feedback, here's how you can use it:
conviso ast run --vulnerability-auto-close
This will work on sca and sast too:
conviso sca run --vulnerability-auto-close
and
conviso sast run --vulnerability-auto-close
This will perform the scan as it has always been done and as a last step it will validate with the Conviso Platform if any vulnerability has been fixed.
Deploy, aka code versionsβ
When running the AST scan using the CLI, a Deploy is automatically created and diff code will be sent to Conviso Platform security for later human review.
It is possible to verify if the code added or changed in the commit has known security vulnerabilities and compare it with the original repository.
Note: This feature is essential for performing Security Code Review by the security team. Conviso offers the continuous code review service, see more.
Run scan only with Conviso SAST or SCAβ
As an additional custom configuration of the Conviso CLI, itβs possible to perform SAST-only in your code using the following command:
export CONVISO_API_KEY='your-api-key'
cd your_source_code_repository
conviso sast run
# or
conviso sca run
The following instructions have the same effect:
cd my_source_code_repository
conviso --api-key 'your-api-key' sast run
# or
conviso --api-key 'your-api-key' sca run
In case of any results, they will be automatically sent to Conviso Platform for assessment.
Supportβ
If you have any questions or need help using Conviso CLI, please don't hesitate to contact our support team.
Resourcesβ
By exploring our content you'll find resources to help you understand the benefits of the Conviso CLI:
Securing customers CI/CD pipelines using Conviso CLI: This article brings a presentation of the possibilities of using the Conviso CLI for your CI/CD pipeline.