Skip to content

Scan command

The agent is launched using the scan command with four possible scanning options:

Launch options

Available and required options for launching the agent for scanning can be viewed using the help flag.

$ ./johnny scan --help
johnny - CLI tool for dependency analysis for vulnerabilities and license compliance issues. Works in connection with CodeScoring SCA.
CodeScoring website: https://codescoring.ru
Documentation: https://docs.codescoring.ru

Exit codes:
- 0: successful run, no issues
- 1: some issues found, action required
- 2: run failure

Version: 2024.52.0

Usage:
   scan [command]

Available Commands:
  bom         Scan bom
  build       Scan build
  dir         Scan directory
  file        Scan file
  image       Scan image

Flags:
  -h, --help      help for scan
  -v, --version   version for scan

Global Flags:
      --api_token string                  API token for integration with CodeScoring server (required if api_url is set)
      --api_url string                    CodeScoring server url (e.g. https://codescoring.mycompany.com) (required if api_token is set)
      --block-on-empty-result             Block on empty result
      --bom-format string                 Bom format. Supported formats: cyclonedx_v1_6_json","cyclonedx_v1_5_json","cyclonedx_v1_4_json","cyclonedx_v1_6_ext_json (default "cyclonedx_v1_6_json")
      --bom-path string                   Path for save bom file (default "bom.json")
      --composer-path string              Path to composer for resolve (default "composer")
      --composer-resolve                  Enable resolve using composer
      --conda-lock-path string            Path to conda-lock for resolve (default "conda-lock")
      --conda-resolve                     Enable resolve using conda-lock
      --config string                     Config file (default "codescoring-johnny-config.yaml")
      --create-project                    Create project in CodeScoring if not exists
      --debug                             Output detailed log
      --dotnet-path string                Path to dotnet for resolve (default "dotnet")
      --dotnet-resolve                    Enable resolve using dotnet
  -f, --format string                     Report format. Supported formats: coloredtable, table, text, junit, sarif, csv, gl-dependency-scanning-report, gl-code-quality-report. Default output to console. Supports multiformat. Example: 'coloredtable,junit>>junit.xml'  (default "coloredtable")
      --gdt-match string                  Section in gradle dependency tree for scan. By default - parse all sections
      --go-path string                    Path to go for resolve (default "go")
      --go-resolve                        Enable resolve using go
      --gradle-path string                Path to gradle for resolve (default "./gradlew")
      --gradle-resolve                    Enable resolve using gradle
  -g, --group-vulnerabilities-by string   Group vulnerabilities by. Supported kinds 'vulnerability', 'affect' (default "vulnerability")
      --ignore stringArray                Ignore paths (--ignore first --ignore "/**/onem?re")
      --license string                    Project license code
      --maven-path string                 Path to mvn for resolve (default "mvn")
      --maven-resolve                     Enable resolve using mvn
      --no-summary                        Do not print summary
      --no-wait                           No wait analysis results
      --npm-path string                   Path to npm for resolve (default "npm")
      --npm-resolve                       Enable resolve using npm
      --only-hashes                       Search only for direct inclusion of dependencies using file hashes
      --pip-path string                   Path to pip for resolve (default "pip")
      --pip-resolve                       Enable resolve using pip
      --pnpm-path string                  Path to pnpm for resolve (default "pnpm")
      --pnpm-resolve                      Enable resolve using pnpm
      --poetry-path string                Path to poetry for resolve (default "poetry")
      --poetry-resolve                    Enable resolve using poetry
      --project string                    Project name in CodeScoring
      --project-group string              Group for created project in CodeScoring
      --python-version string             Python version
      --save-results                      Save results to CodeScoring. Used just together with project name
      --sbt-path string                   Path to sbt for resolve (default "sbt")
      --sbt-resolve                       Enable resolve using sbt
      --scan-archives                     Scan archives. Supported types: '.jar', '.rar', '.tar', '.tar.bz2', '.tbz2', '.tar.gz', '.tgz', '.tar.xz', '.txz', '.war', '.zip', '.aar', '.egg', '.hpi', '.nupkg', '.whl'
      --scan-depth int                    Archive scanning depth (default 1)
  -s, --sort-vulnerabilities-by string    Sort vulnerabilities by. Comma separated field names. For DESC - write field name with prefix '-'.
                                          FieldNames: 'vulnerability', 'fixedversion', 'cvss2', 'cvss3', 'cwes', 'links', 'affect' (default "-cvss3,-cvss2,fixedversion,vulnerability,cwes,links,affect")
      --stage string                      Policy stage (build, dev, source, stage, test, prod, proxy) (default "build")
  -t, --timeout uint16                    Timeout of analysis results waiting in seconds (default 3600)
      --with-hashes                       Search for direct inclusion of dependencies using file hashes
      --yarn-path string                  Path to yarn for resolve (default "yarn")
      --yarn-resolve                      Enable resolve using yarn

Use " scan [command] --help" for more information about a command.

The --api_url parameter must contain the full address of the on-premise installation. The value for --api_token can be taken from the installation user profile.

Specifying the --project parameter will allow scanning to apply policies related to the selected project.

To specify the path to a SBOM save file, you must add the --bom-path parameter to the request or assign the bom-path variable in the config file. By default, the SBOM is saved in the startup directory in the file bom.json.

Run results

Depending on the run result and launch parameters, the agent returns the corresponding exit code:

  • 0: successful run, no issues were detected;
  • 1: issues found after a successful run, user action required;
  • 2: run failure;
  • 3: empty result, no artifacts were found for analysis. Returned only if the --block-on-empty-result parameter is set to true.

Priority of settings

Since the agent startup parameters can be configured in three ways, when using several methods simultaneously, the agent will accept parameters in the following order of priority:

  1. Value of the command flag;
  2. Value of the environment variable;
  3. Value in config file.