CodeSec delivers:
- The fastest and most accurate SAST scanner.
- Immediate and actionable results — scan code and serverless environments.
- A frictionless and seamless sign-in process with GitHub or Google Account. From start to finish in minutes.
- By running a scan on your lambda functions, you can find: Least privilege identity and access management (IAM) vulnerabilities (over permissive policies) and remediation.
NPM:
npm install --location=global @contrast/contrast
Homebrew:
brew tap contrastsecurity/tap
brew install contrast
Binaries:
-
Go to
https://pkg.contrastsecurity.com/ui/repos/tree/General/cli -
Select your operating system under the cli folder and download the package.
-
You must allow execute permissions on the file depending on your OS.
Authenticate by entering contrast auth in the terminal.
In the resulting browser window, log in and authenticate with your GitHub or Google credentials.
Make sure you have the correct file types to scan.
- Upload a .jar or .war file to scan a Java project for analysis
- Upload a .js or .zip file to scan a JavaScript project for analysis
- Upload a .exe. or .zip file to scan a .NET c# web forms project
Start scanning
Use the Contrast scan command contrast scan
- Currently supports Java and Python functions on AWS. Configure AWS credentials on your local environment by running the commands with your credentials:
export AWS_DEFAULT_REGION=<YOUR_AWS_REGION>
export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>-
AWS credentials should be available on your local configure (usually ~/.aws/credentials). You have an option to run a lambda scan with your aws-profile to pass --profile. You also can export different credentials.
-
These permissions are required to gather all required information on an AWS Lambda to use the
contrast lambdacommand:- Lambda: GetFunction | GetLayerVersion
- IAM: GetRolePolicy | GetPolicy | GetPolicyVersion | ListRolePolicies | ListAttachedRolePolicies
Use contrast lambda to scan your AWS Lambda functions.
contrast lambda --function-name MyFunctionName --region my-aws-region
Authenticate Contrast using your GitHub or Google account. A new browser window will open for login.
Usage: contrast auth
Displays stored credentials.
Usage: contrast config
Options:
- -c, --clear - Removes stored credentials.
Performs a security SAST scan.
Usage: contrast scan [option]
Options:
-
contrast scan --file
- Path of the file you want to scan. Contrast searches for a .jar, .war, .js. or .zip file in the working directory if a file is not specified.
- Alias: --f
-
contrast scan --name
- Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
- Alias: –n
-
contrast scan --save
- Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
- Alias: -s
-
contrast scan --timeout
- Time in seconds to wait for the scan to complete. Default value is 300 seconds.
- Alias: -t
Name of AWS lambda function to scan.
Usage: contrast lambda --function-name
Options:
-
contrast lambda --function-name --endpoint-url AWS Endpoint override. Similar to AWS CLI. Alias: -e
-
contrast lambda --function-name --region Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI. Alias: -r
-
contrast lambda --function-name --profile AWS configuration profile override. Similar to AWS CLI. Alias: -p
-
contrast lambda --function-name --json Return response in JSON (versus default human-readable format). Alias: -j
-
contrast lambda -–function-name -–verbose Returns extended information to the terminal. Alias: -v
-
contrast lambda -–function-name --list-functions Lists all available lambda functions to scan.
-
contrast lambda --function-name -–help Displays usage guide. Alias: -h
Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
Usage: contrast scan --help
Alias: -h
Displays version of Contrast CLI.
Usage: contrast version Alias: -v, --version