Users have a choice between two options: the Corgea Dropsite and the Corgea CLI.
Prerequisite You registered in CorgeaSAST Scanner You have a SAST scanner like Checkmarx, CodeQL, Semgrep, Fortify, or Snyk. Corgea currently supports these scanners, with Veracode and Sonarqube support on the roadmap.
The Corgea Dropsite is a web interface that allows you to easily add your project to Corgea for analysis. It provides several options to upload your code and reports from various security scanners. The Dropsite has a file size limit of 200MB. For larger projects, please use the Corgea CLI.
To add a project to Corgea, follow these steps:
Navigate to the Dropsite page by clicking on the “Add Project” button in the Corgea Projects page or the Scans page.
On the Dropsite page, you will see several options to add your project:
This option allows you to connect your code repository directly to Corgea. Currently, GitHub and Azure DevOps are supported.
Click on the GitHub or Azure DevOps button to authorize Corgea to access your repositories.
Select the repository you want to add to Corgea.
If your repository is publicly accessible, you can provide the URL to add it to Corgea.
Click on the “Add a public repository” accordion.
2. Enter the URL of your public repository in the input field.
Click the “Add” button.
This option allows you to upload a ZIP file containing your project’s code.
Click on the “Web upload” accordion.
Click the “Upload” button and select the ZIP file containing your project’s code.
To reduce file size and improve processing speed, exclude third-party libraries and build artifacts (e.g., node_modules, vendor, dist) when uploading your project. This can be done by downloading a zip from your repository directly.
Remember that the web upload has a 200MB file size limit. For larger projects, use the Corgea CLI.
After adding your project, you can proceed to the next step to upload a report from a supported security scanner.
The Corgea CLI (Command-Line Interface) provides advanced features for integrating Corgea with your CI/CD pipeline, performing custom scans, and uploading large projects (>200MB).
Click on the “Corgea CLI” accordion to learn more about installing and using the CLI.You can install the Corgea CLI using pip:
Once a scan is completed a scan report will be generated in the repository folder and a copy will be sent to Corgea for processing.
4
Issue Fixes
Depending on the size of the results in the scan, it may take sometime for results to show up. For a couple of hundred findings, it should take 10 mins.Go to fixes to learn more.
You might receive an error that you’re not logged into your SAST/SCA tool.Some tools require you to login to use the tool. For example, you can login to Semgrep with the following command:
Copy
Ask AI
semgrep login
Git Show Failed to Run
You might receive an error that you’re not logged into your SAST/SCA tool.Some tools require you to login to use the tool. For example, you can login to Semgrep with the following command:
Copy
Ask AI
Command failed with output: fatal: not a git repository (or any of the parent directories): .git Failed to run 'git show -s --format=%B'. Possible reasons: - the git binary is not available - the current working directory is not a git repository - the current working directory is not marked as safe (fix with `git config --global --add safe.directory $(pwd)`) Try running the command yourself to debug the issue. Could not start scan Command failed with exit code: 128