Using the Gradle plugin

The OpenText SAST installation includes a Gradle plugin located in <sast_install_dir>/plugins/gradle. To use the OpenText SAST Gradle Plugin, you need to first configure the plugin for your Java or Kotlin project and then use the plugin to analyze your project. The Gradle plugin provides three OpenText SAST tasks for the analysis: sca.clean, sca.translate, and sca.scan. See Build tools for platforms and languages supported specifically for OpenText SAST Gradle plugin.

If you have multiple OpenText SAST installations, make sure that the version you want to use for your Gradle projects is defined before all other OpenText SAST versions included in the PATH environment variable.

To configure the OpenText SAST Gradle Plugin:

  1. Edit the Gradle settings file to specify the path to the plugin:

    • Groovy DSL (settings.gradle):

      pluginManagement {
 repositories {
 gradlePluginPortal()
 maven {
 url = uri("file://<sast_plugin_path>")
 }
 }
}

    • Kotlin DSL (settings.gradle.kts):

      pluginManagement {
 repositories {
 maven(url = uri("file://<sast_plugin_path>"))
 gradlePluginPortal()
 }
}

  2. Add entries to the build script as shown in the following examples:

    • Groovy DSL (build.gradle):

      id 'com.fortify.sca.plugins.gradlebuild' version '25.3'

      and

      SCAPluginExtension {
 buildId = "MyProject"
 options = ["-encoding", "utf-8", "-logfile", "MyProject.log", 
 "-debug-verbose"] 
}

      or the following example entry excludes files from the translation:

      SCAPluginExtension {
 buildId = "MyProject"
 options = ["-encoding", "utf-8", "-logfile", "MyProject.log",
 "-debug-verbose", "-exclude", "src/test/**/*"] 
}

    • Kotlin DSL (build.gradle.kts):

      plugins {
 id ("com.fortify.sca.plugins.gradlebuild") version "25.3" 
 ...
}

      and

      SCAPluginExtension {
 buildId = "MyProject"
 options = listOf("-encoding", "utf-8", "-logfile", "MyProject.log", 
 "-debug-verbose") 
}

      or the following example entry excludes files from the translation:

      SCAPluginExtension {
 buildId = "MyProject"
 options = listOf("-encoding", "utf-8", "-logfile", "MyProject.log", 
 "-debug-verbose", "-exclude", "src/test/**/*")
}

  3. Save and close the Gradle settings and Gradle build files.

Analyze a Java or Kotlin project with following command sequence:

  • To remove all existing OpenText SAST temporary files for an existing Java or Kotlin project build, run the following:

    gradlew sca.clean

  • To run the translation phase for the configured Java or Kotlin project, run the following:

    gradlew sca.translate

  • To analyze the configured Java or Kotlin project, run the following:

    gradlew sca.scan

    This task runs successfully if OpenText SAST has already translated the project using the OpenText SAST Gradle Plugin.

Working with Java or Kotlin projects that have subprojects

If you have a Java or Kotlin multi-project build (with subprojects), then you must configure the OpenText SAST Gradle plugin using an allprojects block. This is shown in the following examples.

Groovy DSL (build.gradle)

allprojects {
 apply plugin: "com.fortify.sca.plugins.gradlebuild"
 SCAPluginExtension {
 buildId = "MyProject"
 options = ["-encoding", "utf-8", "-logfile", "MyProject.log", 
 "-debug-verbose"]
 ...
 }
}

Kotlin DSL (build.gradle.kts):

allprojects {
 apply(plugin = "com.fortify.sca.plugins.gradlebuild")
 SCAPluginExtension {
 buildId = "MyProject"
 options = listOf("-encoding", "utf-8", "-logfile", "MyProject.log", 
 "-debug-verbose")
 ...
 }
}

See Also

Using Gradle Integration