Skip to content

Scanning with the CodeLogic SQL Agent (Docker)

The CodeLogic SQL Agent for Docker provides an easy way to integrate CodeLogic scanning into your build process.

Run the Docker Image

Pull and run the SQL agent image from your CodeLogic server registry:

docker run --pull always --rm --interactive --tty                 \
     --env CODELOGIC_HOST="http://your_server"                    \
     --env AGENT_UUID="your-agent-uuid"                           \
     --env AGENT_PASSWORD="your-agent-password"                   \
     your_server/codelogic_sql:latest analyze                     \
     --application "yourApp"                                      \
     --connection-url "jdbc:postgresql://localhost:5432/sampledb" \
     --username postgres_user --password postgres_pass

Docker options:

  • --pull always — ensures that you always get the newest image
  • --env CODELOGIC_HOST — CodeLogic server URL
  • --env AGENT_UUID / --env AGENT_PASSWORD — agent credentials
  • See Docker Documentation for more options.

Tip

You can copy and paste the command directly into your Jenkins file.

Analyze a MongoDB database

Before running the docker image, ensure read permission on the database to be scanned.

Verify that /etc/mongod.conf is configured to authenticate:

security:
  authorization: "enabled"

Ensure the credentials have read permissions on the database to be analyzed. For example, to analyze the sample_mflix database, the codelogic_reader user was created using this command:

test> use admin
switched to db admin
admin> db.createUser({user: "codelogic_reader", pwd: "password1234", roles: [{role: "read", db: "sample_mflix"}]})
{ ok: 1 }

This mongodb connection string authenticates with the user codelogic_reader, password password1234 and uses the option of including it in connection string instead of the CLI. The username and password are authenticated against the admin database. It is used with the output above to analyze the sample_mflix database.

--connection-url "mongodb://codelogic_reader:password1234@myServer.myCompany.com:27017/sample_mflix?authSource=admin"

Combined with the docker run example above and including the credentials in the string instead of separately, the entire command line may look similar to this:

docker run  --network=host --pull always --rm --interactive --tty \
  --env CODELOGIC_HOST="http://myServer.myCompany.com"            \
  --env AGENT_UUID="6f396f98-9884-4530-ab3e-9a916885dcd0"         \
  --env AGENT_PASSWORD="qE15EVh4SyU3rfbJ"                         \
  myServer.myCompany.com/codelogic_sql:latest analyze             \
    --application "sample_mflix_app"                              \
    --scan-space-name "ss-Sample_mflix"                           \
    --connection-url "mongodb://codelogic_reader:password1234@myServer.myCompany.com:27017/sample_mflix?authSource=admin"

Analyze a relational database

analyze -a yourApp -c jdbc:postgresql://localhost:5432/sampledb -u postgres_user -pwd postgres_pass

For more information, see Binary Scanning via Command Line (SQL).

Important

ScanSpaces should be unique to users or processes to avoid the inadvertent removal of previous scan sessions. The --expunge-scan-sessions option removes all previous scan sessions with the same fingerprint, even if they were created by another user.

The fingerprint is a collection of parameters specified when scanning. In the example below, the Java agent fingerprint is these parameters: --application, --method-filter, --path, --scan-space-name, and --type.

For example, a Continuous Integration (CI) pipeline scan, perhaps in a Jenkinsfile, is initiated as part of a build whenever there is a code merge. These scans are stored by the CodeLogic Server in the Development ScanSpace.

The command in the Jenkinsfile is: analyze --application MyApplication --method-filter com.codelogic. --path /scan --type SCAN --scan-space-name Development.

A developer runs the same analysis using the CLI using CLI options that result in the same fingerprint but with the --expunge-scan-sessions option.

The developer's command is: analyze --application MyApplication --method-filter com.codelogic. --path /scan --type SCAN --scan-space-name Development --expunge-scan-sessions.

Since the fingerprints match, all previous scans in the Development ScanSpace on the CodeLogic server are removed.

This can be avoided by each user using their own ScanSpaces. A ScanSpace is created when the --scan-space-name option is used, if it does not already exist.

Although a default ScanSpace is used if none is specified, always specifying a ScanSpace that is unique to a user is recommended.