About Remote Scans

Code Insight has the ability to scan files on a remote system and manage the inventory items created from this remote location. This remote scan allows you to integrate automatic package-level scanning into your build process using a Code Insight scan-agent plugin. This integration includes automated package discovery (see Automated Analysis) and targeted components.

Creating a Project Without Uploading a Codebase

Some organizations might be interested in reviewing the inventory that results from a scan of their product’s post-build artifacts on the build server. Other organizations might want to review the inventory resulting from a codebase scan but are reluctant to upload their product codebase (or synchronize a Source Control Management repository) to Code Insight. Instead, they want to keep their codebase in its existing development system due to security, consistency, or other concerns.

To address these requirements, Code Insight provides scan-agent plugins that scan codebase files or built artifacts wherever they reside and send the results as inventory to the Code Insight Core Server for review and remediation by users. This process requires a Code Insight project on the Core Server for handling the returned results, but requires no codebase upload or synchronization to Code Insight.

Organizations might still want to upload a their product codebase to Code Insight to perform a server scan, but then use a scan plugin to remotely scan post-build artifacts directly on the build server. They can use the same Code Insight project to handle the results of both scans, enabling them to compare the resulting inventories, resolve discrepancies, and determine a final inventory list.

Overview of How to Set Up for Remote Scanning

The following is an overview of setting up for remote scanning:

Phase 1—Create a project in Code Insight. See About Code Insight Projects.

Phase 2—Create a valid JSON Web Token (JWT) for the user whose account will be used to connect to Code Insight. For instructions on generating the JWT, see Managing Authorization Tokens.

Phase 3—Install and configure the appropriate scan-agent plugin. (For information how to install and configure the plugin, see the Code Insight Plugins Guide.) As part of the configuration process, you will need to provide the name of the project that you created, the URL of the Code Insight core server, and the JWT.

When the scan-agent plugin is invoked (for example, during a build in Jenkins), the remote codebase will be scanned and any identified inventory items will be created in the existing project on the Code Insight server for further review and remediation.

How Remote Scans Work

Once a Code Insight scan-agent plugin is installed and the scan is configured as part of your build process, the scan agent, when run, collects and sends the scan results back to a project in Code Insight. The results provide information about the scanned files (including any license evidence found) and published inventory awaiting review, management, and remediation through Code Insight user interface. As with published inventory generated by the Code Insight scan server, published inventory generated by a scan-agent plugin can be automatically reviewed by license or security policies as part of the scan and, for inventory not reviewed by policy, can be reviewed manually by legal or security experts. Security alerts with corresponding email notifications will be generated for any inventory item with new security vulnerabilities.

Note the following:

•

For files scanned by a Code Insight scan-agent plugin on a remote system, currently only license evidence found in these files is currently reported in Code Insight.

•

Code Insight does not generate email notifications for remote scan events.

Viewing the Remote Scan Status

To view the status of the import of scan results into your Code Insight project from the most recent remote scan run for your project, navigate to the project’s Summary page. In the Scan Status section, locate the status and timestamp of the latest import. (See Summary Tab for a description of all the remote-scan details.)