DEV Community

Cover image for Secure Open Source Code in minutes for free with CodeSec
Orlandov14 for CodeSec by Contrast Security

Posted on

Secure Open Source Code in minutes for free with CodeSec

Contrast Security is expanding its free developer tool, CodeSec, to include Open Source Security (OSS) and Software Bill of Material (SBOM) creation with its new SCA capability. Empowering developers to Identify vulnerable libraries in OSS and receive actionable remediation guidance, allowing them to ship code faster. The new feature will also enable users to manage software supply chain risk by allowing them to create SBOMs with ease.

What is CodeSec?
Contrast’s new free developer tool brings the fastest and most accurate scanner on the market right to developers for free. By packaging the same scanning engine used in our Contrast Security platform into a simple command-line interface (CLI), CodeSec empowers developers to scan, secure, and ship their code in minutes.

Getting Started with CodeSec - SCA in just 3 steps

1. Open a command-prompt or terminal, then install with NPM, Homebrew or by downloading binaries from Artifactory:

For this example will be using NPM. For other install options click here.

npm install -g @contrast/contrast
Enter fullscreen mode Exit fullscreen mode

2. Authenticate using your existing GitHub or Google account.

contrast auth
Enter fullscreen mode Exit fullscreen mode

3. Time to Scan your Open Source!

Navigate to your chosen directory.
Then run a SCA scan on your Java, Javascript, Python, Ruby, GO, PHP, .NET code with the following command.

contrast audit
Enter fullscreen mode Exit fullscreen mode

CodeSec SCA Output

In minutes CodeSec by Contrast will report all vulnerabilities found with actionable remediation guidance.

Happy Scanning!

Top comments (4)

Collapse
 
rpresser profile image
Ross Presser

Can I ask what the need for a Google or Github account is?

Collapse
 
orlandov14 profile image
Orlandov14

Hi Ross, we ask users to connect with the existing google or GitHub account in order to create an account for them in our servers, so they may utilize our scanning tools.

Collapse
 
rpresser profile image
Ross Presser • Edited

Follow up question: Can CodeSec be used on local repositories that have no connection with GitHub or any other cloud repo whatsoever, and never will?

Thread Thread
 
orlandov14 profile image
Orlandov14

Yes they can still use the CLI to access CodeSec