Creating a Project Without Uploading a Codebase

Code Insight 2021 R1

Some organizations might be interested in reviewing the inventory that results from a scan of their product’s post-build artifacts on the build server. Other organizations might want to review the inventory resulting from a codebase scan but are reluctant to upload their product codebase (or synchronize a Source Control Management repository) to Code Insight. Instead, they want to keep their codebase in its existing development system due to security, consistency, or other concerns.

To address these requirements, Code Insight provides scan-agent plugins that scan codebase files or built artifacts wherever they reside and send the results as inventory to the Code Insight Core Server for review and remediation by users. This process requires a Code Insight project on the Core Server for handling the returned results, but requires no codebase upload or synchronization to Code Insight.

Organizations might still want to upload a their product codebase to Code Insight to perform a server scan, but then use a scan plugin to remotely scan post-build artifacts directly on the build server. They can use the same Code Insight project to handle the results of both scans, enabling them to compare the resulting inventories, resolve discrepancies, and determine a final inventory list.

Overview of How to Set Up for Remote Scanning

The following is an overview of setting up for remote scanning:

Phase 1—Create a project in Code Insight. See About Code Insight Projects.

Phase 2—Create a valid JSON Web Token (JWT) for the user whose account will be used to connect to Code Insight. For instructions on generating the JWT, see Managing Authorization Tokens in the “Using Code Insight” chapter.

Phase 3—Install and configure the appropriate scan-agent plugin. (For information how to install and configure the plugin, see the Code Insight Plugins Guide.) As part of the configuration process, you will need to provide the name of the project that you created, the URL of the Code Insight core server, and the JWT.

When the scan-agent plugin is invoked (for example, during a build in Jenkins), the remote codebase will be scanned and any identified inventory items will be created in the existing project on the Code Insight server for further review and remediation.