Analyze Mode
Overview
Analyzes a Checkmarx/CodeQL/Fortify/Snyk/SonarQube/Semgrep/Opengrep vulnerability report to identify issues that can be remediated automatically
Produces the code fixes and redirects the user to the fix report page on the Mobb platform
Analyze Mode - Usage
To check what options are available under the analyze mode, run:
npx mobbdev@latest analyze --help
Here is the output of the help file:
npx mobbdev@latest analyze --help
cli.mjs analyze
Provide a vulnerability report and relevant code repository, get automated fixes right away.
Options:
-f, --scan-file Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify,
CodeQL, Sonarqube, Semgrep, Datadog) [string]
-r, --repo Github / GitLab / Azure DevOps repository URL [string] [required]
-p, --src-path Path to the repository folder with the source code; alternatively, you
can specify the Fortify FPR file to extract source code out of it
[string]
--ref Reference of the repository (branch, tag, commit) [string]
--mobb-project-name Mobb project name [string] [default: "My first project"]
-y, --yes Skip prompts and use default values [boolean]
--ci Run in CI mode, prompts and browser will not be opened
[boolean] [default: false]
--org, --organization-id Organization id [string]
--api-key Mobb authentication api-key [string]
--auto-pr Enable automatic pull requests for new fixes[boolean] [default: false]
--create-one-pr Create a single unified PR for all fixes (requires --auto-pr)
[boolean] [default: false]
--commit-directly Commit directly to the scanned branch instead of creating a pull
request [boolean] [default: false]
--pull-request, --pr, --pr-number, --pr-id Number of the pull request [number]
--help Show help [boolean]
Example
To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:
npx mobbdev analyze --scan-file sast_results.json --repo https://github.com/mobb-dev/simple-vulnerable-java-project
Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.
Automatic PR
To enable automatic PR, make sure to enable --auto-pr
flag in your npx mobbdev@latest
analyze command. For example:
npx mobbdev@latest analyze --auto-pr --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY
Click here to learn more about the Automatic PR feature.
Last updated
Was this helpful?