Scan command¶
The agent is launched using the scan
command with four possible scanning options:
scan dir
– scanning a directory;scan file
– scanning a file;scan image
– scanning a container image;scan bom
– scanning a SBoM.
Launch options¶
Available and required options for launching the agent for scanning can be viewed using the help
flag.
$ ./johnny scan --help
johnny - CLI tool for dependency analysis for vulnerabilities and license compliance issues. Works in connection with CodeScoring SCA.
CodeScoring website: https://codescoring.ru
Documentation: https://docs.codescoring.ru
Exit codes:
- 0: successful run, no issues
- 1: some issues found, action required
- 2: run failure
Version: 2024.52.0
Usage:
scan [command]
Available Commands:
bom Scan bom
build Scan build
dir Scan directory
file Scan file
image Scan image
Flags:
-h, --help help for scan
-v, --version version for scan
Global Flags:
--api_token string API token for integration with CodeScoring server (required if api_url is set)
--api_url string CodeScoring server url (e.g. https://codescoring.mycompany.com) (required if api_token is set)
--block-on-empty-result Block on empty result
--bom-format string Bom format. Supported formats: cyclonedx_v1_6_json","cyclonedx_v1_5_json","cyclonedx_v1_4_json","cyclonedx_v1_6_ext_json (default "cyclonedx_v1_6_json")
--bom-path string Path for save bom file (default "bom.json")
--composer-path string Path to composer for resolve (default "composer")
--composer-resolve Enable resolve using composer
--conda-lock-path string Path to conda-lock for resolve (default "conda-lock")
--conda-resolve Enable resolve using conda-lock
--config string Config file (default "codescoring-johnny-config.yaml")
--create-project Create project in CodeScoring if not exists
--debug Output detailed log
--dotnet-path string Path to dotnet for resolve (default "dotnet")
--dotnet-resolve Enable resolve using dotnet
-f, --format string Report format. Supported formats: coloredtable, table, text, junit, sarif, csv, gl-dependency-scanning-report, gl-code-quality-report. Default output to console. Supports multiformat. Example: 'coloredtable,junit>>junit.xml' (default "coloredtable")
--gdt-match string Section in gradle dependency tree for scan. By default - parse all sections
--go-path string Path to go for resolve (default "go")
--go-resolve Enable resolve using go
--gradle-path string Path to gradle for resolve (default "./gradlew")
--gradle-resolve Enable resolve using gradle
-g, --group-vulnerabilities-by string Group vulnerabilities by. Supported kinds 'vulnerability', 'affect' (default "vulnerability")
--ignore stringArray Ignore paths (--ignore first --ignore "/**/onem?re")
--license string Project license code
--maven-path string Path to mvn for resolve (default "mvn")
--maven-resolve Enable resolve using mvn
--no-summary Do not print summary
--no-wait No wait analysis results
--npm-path string Path to npm for resolve (default "npm")
--npm-resolve Enable resolve using npm
--only-hashes Search only for direct inclusion of dependencies using file hashes
--pip-path string Path to pip for resolve (default "pip")
--pip-resolve Enable resolve using pip
--pnpm-path string Path to pnpm for resolve (default "pnpm")
--pnpm-resolve Enable resolve using pnpm
--poetry-path string Path to poetry for resolve (default "poetry")
--poetry-resolve Enable resolve using poetry
--project string Project name in CodeScoring
--project-group string Group for created project in CodeScoring
--python-version string Python version
--save-results Save results to CodeScoring. Used just together with project name
--sbt-path string Path to sbt for resolve (default "sbt")
--sbt-resolve Enable resolve using sbt
--scan-archives Scan archives. Supported types: '.jar', '.rar', '.tar', '.tar.bz2', '.tbz2', '.tar.gz', '.tgz', '.tar.xz', '.txz', '.war', '.zip', '.aar', '.egg', '.hpi', '.nupkg', '.whl'
--scan-depth int Archive scanning depth (default 1)
-s, --sort-vulnerabilities-by string Sort vulnerabilities by. Comma separated field names. For DESC - write field name with prefix '-'.
FieldNames: 'vulnerability', 'fixedversion', 'cvss2', 'cvss3', 'cwes', 'links', 'affect' (default "-cvss3,-cvss2,fixedversion,vulnerability,cwes,links,affect")
--stage string Policy stage (build, dev, source, stage, test, prod, proxy) (default "build")
-t, --timeout uint16 Timeout of analysis results waiting in seconds (default 3600)
--with-hashes Search for direct inclusion of dependencies using file hashes
--yarn-path string Path to yarn for resolve (default "yarn")
--yarn-resolve Enable resolve using yarn
Use " scan [command] --help" for more information about a command.
The --api_url
parameter must contain the full address of the on-premise installation. The value for --api_token
can be taken from the installation user profile.
Specifying the --project
parameter will allow scanning to apply policies related to the selected project.
To specify the path to a SBOM save file, you must add the --bom-path
parameter to the request or assign the bom-path
variable in the config file. By default, the SBOM is saved in the startup directory in the file bom.json
.
Run results¶
Depending on the run result and launch parameters, the agent returns the corresponding exit code:
- 0: successful run, no issues were detected;
- 1: issues found after a successful run, user action required;
- 2: run failure;
- 3: empty result, no artifacts were found for analysis. Returned only if the
--block-on-empty-result
parameter is set totrue
.
Priority of settings¶
Since the agent startup parameters can be configured in three ways, when using several methods simultaneously, the agent will accept parameters in the following order of priority:
- Value of the command flag;
- Value of the environment variable;
- Value in config file.