Analyze Mode

Overview

  • Analyzes a Checkmarx/CodeQL/Fortify/Snyk/SonarQube/Semgrep/Opengrep vulnerability report to identify issues that can be remediated automatically

  • Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Analyze Mode - Usage

To check what options are available under the analyze mode, run:

npx mobbdev@latest analyze --help

Here is the output of the help file:

npx mobbdev@latest analyze --help
cli.mjs analyze

Provide a vulnerability report and relevant code repository, get automated fixes right away.

Options:
  -f, --scan-file                                 Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify,
                                                  CodeQL, Sonarqube, Semgrep, Datadog)                          [string]
  -r, --repo                                      Github / GitLab / Azure DevOps repository URL      [string] [required]
  -p, --src-path                                  Path to the repository folder with the source code; alternatively, you
                                                  can specify the Fortify FPR file to extract source code out of it
                                                                                                                [string]
      --ref                                       Reference of the repository (branch, tag, commit)             [string]
      --mobb-project-name                         Mobb project name               [string] [default: "My first project"]
  -y, --yes                                       Skip prompts and use default values                          [boolean]
      --ci                                        Run in CI mode, prompts and browser will not be opened
                                                                                              [boolean] [default: false]
      --org, --organization-id                    Organization id                                               [string]
      --api-key                                   Mobb authentication api-key                                   [string]
      --auto-pr                                   Enable automatic pull requests for new fixes[boolean] [default: false]
      --create-one-pr                             Create a single unified PR for all fixes (requires --auto-pr)
                                                                                              [boolean] [default: false]
      --commit-directly                           Commit directly to the scanned branch instead of creating a pull
                                                  request                                     [boolean] [default: false]
      --pull-request, --pr, --pr-number, --pr-id  Number of the pull request                                    [number]
      --help                                      Show help                                                    [boolean]

Example

To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:

npx mobbdev analyze --scan-file sast_results.json --repo https://github.com/mobb-dev/simple-vulnerable-java-project

Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.

Automatic PR

To enable automatic PR, make sure to enable --auto-pr flag in your npx mobbdev@latest analyze command. For example:

npx mobbdev@latest analyze --auto-pr --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY

Click here to learn more about the Automatic PR feature.

Scan (with Opengrep) and Fix Mode

Mobb CLI also supports a special scan and fix mode that uses Mobb's internal Opengrep scanner to automatically scan your repository and generate fixes without requiring a pre-existing vulnerability report.

How to Use Scan and Fix Mode

To activate scan and fix mode, simply omit the -f (scan-file) parameter from your analyze command. The CLI will automatically use Mobb's internal scanner to identify vulnerabilities and generate fixes.

Example

npx mobbdev@latest analyze -r https://github.com/antonychiu2/marinus-sm --ref main --api-key XXXXXX --ci

Notice that there's no -f or --scan-file parameter in this command. When no scan file is provided, Mobb will:

  • Scan the repository using Mobb's internal Opengrep scanner

  • Generate automated fixes for supported issues along with a fix report

Benefits of Scan and Fix Mode

  • No external scanner required: No need to run Checkmarx, Snyk, or other SAST tools first

  • Streamlined workflow: One command to scan and fix

  • Built-in scanner: Uses Mobb's optimized Opengrep engine

  • Immediate results: Get fixes without waiting for external scan reports

Last updated

Was this helpful?