Submitting remote translation and scan requests
If you use a supported language, you can submit your project to your OpenText ScanCentral SAST sensors for a complete remote analysis (both translation and scan phases). To submit a scan request that performs both the translation and scan phases, use the start command. For more information, see the Application Security Software System Requirements document.
OpenText ScanCentral SAST automatically detects the build tool you are using based on the project files being scanned. For example, if OpenText ScanCentral SAST detects a pom.xml file, it automatically sets -bt to mvn. If it detects a build.gradle file, it sets -bt to gradle. If OpenText ScanCentral SAST detects a *.sln file, it sets -bt to msbuild (Windows) or to dotnet (Linux) and sets -bf to the xxx.sln file. If OpenText ScanCentral SAST detects multiple file types (for example, pom.xml and build.gradle), it prioritizes the build tool selection as follows: Maven > Gradle > MSBuild and prints a message to indicate which build tool was selected based on the multiple file types found. For a list of supported build tools, see the Application Security Software System Requirements document.
The following table provides example scan request commands for different tasks. The examples assume that the command is run from the project's working directory. The build tool option --build-tool (-bt) shown in these example commands is not required.
| Task | Example command |
|---|---|
Start a job to scan a .NET application. | scancentral -sscurl<ssc_url> -ssctoken<token> start |
| Start a job to scan a dotnet project on Windows. |
|
| Start a job to scan an Apache Maven™ Software project that includes the test scope. |
or
|
| Start a job to scan a Maven project with a non-default build file. | scancentral -sscurl<ssc_url> -ssctoken<token> start ‑btmvn -bf c:\myproj\myproj-pom.xml |
| Start a job to scan a JavaScript/TypeScript project. | scancentral -sscurl<ssc_url> -ssctoken<token> start |
| Start a job to scan a PHP version 8.2 project. | scancentral -sscurl<ssc_url> -ssctoken<token> start ‑hv 8.2 |
| Start a job to scan an ABAP project. | scancentral -sscurl<ssc_url> -ssctoken<token> start |
| Start a job to scan a Java project and exclude test source files. | scancentral -sscurl<ssc_url> -ssctoken<token> start -exclude "src/test/**/*" |
| Start a job to scan only the distribution files for a JavaScript project. | scancentral -sscurl<ssc_url> -ssctoken<token> start -include "./dist/**/*.*" |
| Start a job to scan all the beta files except for JSON files | scancentral -sscurl<ssc_url> -ssctoken<token> start -include "./beta/*.*" -exclude "./beta/*.json" |
| Start a job to scan a Go project with a build tag. | scancentral -sscurl<ssc_url> -ssctoken<token> start -targs "-gotags release" |
| Start a job to scan a Ruby project. | scancentral -sscurl<ssc_url> -ssctoken<token> start |
| Start a job to scan a Gradle project. | scancentral -sscurl<ssc_url> -ssctoken<token> start ‑btgradle |
| Start a job to scan a Gradle project, get email notifications from the Controller, and upload the results to Application Security. | scancentral -sscurl<ssc_url> -ssctoken<token> start ‑email username@domain.com -upload -application "MyProject" -version "1.0" |
OpenText ScanCentral SAST returns a job token that you can use to track the scan.
See also
Submitting Scan Requests and Uploading Results to Application Security