Running Mobb against your own code

This guide describes running Mobb on a public or private repository. To get started, make sure you have already signed up for an account. If you haven't done so, please visit the guide on registering a Mobb account.

After logging in, select the second option, "Fix Your Code with Mobb"

Pick a vulnerability scanner of your choice (Checkmarx, Snyk, Fortify, or GitHub CodeQL)

For this onboarding guide, we will pick Checkmarx as our SAST tool. For more detailed instructions for each of the supported SAST tools, refer to their respective guides:

With Checkmarx, we support 3 different ways to fix your SAST findings:

Option 1 - Upload vulnerability report

Option 2 - Scan via Mobb CLI

Option 3 - Browse Checkmarx Projects

We will proceed with "Option 1 - Upload vulnerability report" in this onboarding guide. For detailed info about the other options, refer to the Checkmarx guide.

After selecting “Upload Vulnerability Report”, you must upload a Checkmarx SAST report in .json or .xml format. Once the report is uploaded, click “Continue”.

The next screen prompts you to connect to your code repository. Mobb currently supports GitHub and GitLab as SCM tools.

You can either use the “Pick a repository from your list” where Mobb will prompt you to connect to your repository, or use the second option - “Add a specific code repository” to supply the URL.

  • Pick a repository from your list - This option provides you the ability to look up your connected GitHub or GitLab accounts to pick a repository

  • Add a specific code repository - This option allows you to specify a public or private repository URL

    • Public repository - Mobb will instantly connect to the repository to extract the content required to generate the fix data

    • Private repository

      • Accessible repository: If GitHub or GitLab is already connected and the private repository is in these accounts, Mobb will instantly connect to the repository to extract the content required to generate the fix data

      • Inaccessible repository: If GitHub or GitLab are not connected OR the repository is not in already connected accounts, Mobb will allow you to connect another GitHub or GitLab account OR upload the source code in a zip file

Once you have connected your repository, you are ready to run the analysis. To do so, click on “Continue”.

Note that if you are getting a warning that says "The code provided has been updated after the vulnerabilities were detected. Some vulnerabilities might be missing." You may want to provide a more recent SAST report or adjust your Git branch to an earlier one.

After the analysis, you can review the available fixes on the project page. To access the fix page, click the “Link to fix” button next to the issue you wish to review.

Mobb provides an intuitive UI that allows you to influence the fix's direction through simple questions. Once you are satisfied with the fix recommendation, you can either commit the changes back to your source code repository, download the .diff file, or save fix data:

  • Commit Changes - This allows you to commit the fixes directly to your source code repository through a Pull Request. This requires you to have the repository connected.

  • Download the .diff file - This option allows you to download the .diff file and apply the fix manually to your branch.

  • Save fix data - This option allows you to save the fix data so you can work on other fixes in the project. After you're satisfied, you can commit the fixes back to the repository all at once.

This tutorial will use the “Commit Changes” button to initiate the commit immediately.

After using the “Commit Changes” button, you will be prompted with the name of the branch. In this example, the branch we will commit to is called “feature1”.

Once you are satisfied with the rest of the inputs, click “Commit Changes”. This will initiate a Pull Request in your Github or Gitlab repository.

Well done, you have successfully committed your fix back to your source code repository!

Last updated