Users have a choice between two options: the Corgea Dropsite and the Corgea CLI.

Prerequisite You registered in Corgea

SAST Scanner You have a SAST scanner like Checkmarx, CodeQL, Semgrep, Fortify, or Snyk. Corgea currently supports these scanners, with Veracode and Sonarqube support on the roadmap.

Corgea Dropsite

The Corgea Dropsite is a web interface that allows you to easily add your project to Corgea for analysis. It provides several options to upload your code and reports from various security scanners. The Dropsite has a file size limit of 200MB. For larger projects, please use the Corgea CLI.

Adding a Project

To add a project to Corgea, follow these steps: Navigate to the Dropsite page by clicking on the “Add Project” button in the Corgea Projects page or the Scans page.

On the Dropsite page, you will see several options to add your project:

This option allows you to connect your code repository directly to Corgea. Currently, GitHub and Azure DevOps are supported. Click on the GitHub or Azure DevOps button to authorize Corgea to access your repositories. Select the repository you want to add to Corgea.

Add a Public Repository

If your repository is publicly accessible, you can provide the URL to add it to Corgea. Click on the “Add a public repository” accordion. 2. Enter the URL of your public repository in the input field. Click the “Add” button.

Web Upload

This option allows you to upload a ZIP file containing your project’s code. Click on the “Web upload” accordion. Click the “Upload” button and select the ZIP file containing your project’s code.

To reduce file size and improve processing speed, exclude third-party libraries and build artifacts (e.g., node_modules, vendor, dist) when uploading your project. This can be done by downloading a zip from your repository directly.

Remember that the web upload has a 200MB file size limit. For larger projects, use the Corgea CLI.

After adding your project, you can proceed to the next step to upload a report from a supported security scanner.

Uploading a Report

1

Upload the report

Select the report file (typically a JSON file) from your local machine, and drop it into the upload box.

Corgea supports Checkmarx (JSON), CodeQL (SARIF), Snyk (SARIF), Semgrep (JSON) and Fortify (FPR) scans.

2

Processing

Once the report is uploaded successfully, Corgea will process your project and report.

3

View results

You will be redirected to the Corgea dashboard, where you can view the analysis results for your project.

By following these steps, you can easily add your project and upload security reports to Corgea for analysis and remediation.

Corgea CLI

The Corgea CLI (Command-Line Interface) provides advanced features for integrating Corgea with your CI/CD pipeline, performing custom scans, and uploading large projects (>200MB). Click on the “Corgea CLI” accordion to learn more about installing and using the CLI.

You can install the Corgea CLI using pip:

pip install corgea-cli

More on the CLI here

Upload with the CLI

1

Go to repository

Go to the repository you want to scan:

2

Run the scan

3

See Results

Once a scan is completed a scan report will be generated in the repository folder and a copy will be sent to Corgea for processing.

4

Issue Fixes

Depending on the size of the results in the scan, it may take sometime for results to show up. For a couple of hundred findings, it should take 10 mins.

Go to fixes to learn more.

Troubleshooting

Business Logic Application Security Testing (Private Beta)Applying Fixes