# Generating a Polaris SAST Report

### Introduction

This guide walks you through using the **Black Duck Bridge CLI** to run a Polaris SAST scan and export the results as a `.sarif.json` file that can be submitted to Mobb.

### Pre-Requisites

* A [Polaris](https://polaris.blackduck.com) account with an active access token. See [Generating a Polaris Access Token](https://documentation.blackduck.com/bundle/coverity-on-polaris/page/topics/t_creating-tokens.html) for instructions.
* Access to a terminal (Linux, macOS, or Windows).
* For Java projects that require compilation: the appropriate **JDK** and **Maven** or **Gradle** installed.

***

### Step 1 — Download the Bridge CLI

Visit the download index to find the right binary for your operating system:

<https://repo.blackduck.com/bds-integrations-release/com/blackduck/integration/bridge/binaries/bridge-cli-bundle/latest/>

#### Linux example

```bash
wget https://repo.blackduck.com/bds-integrations-release/com/blackduck/integration/bridge/binaries/bridge-cli-bundle/latest/bridge-cli-bundle-linux64.zip

unzip bridge-cli-bundle-linux64.zip
```

Add the binary to your `PATH` so it is accessible from anywhere:

```bash
echo 'export PATH="$HOME/bridge-cli-bundle-linux64:$PATH"' >> ~/.bashrc
source ~/.bashrc

# Verify the installation
bridge-cli
```

***

### Step 2 — Set your Polaris Access Token

```bash
export BRIDGE_POLARIS_ACCESSTOKEN=YOUR_TOKEN_HERE
```

***

### Step 3 — Run the Scan

The key parameter to enable SARIF output is `polaris.reports.sarif.create=true`.

#### Example: Project with no compilation required (e.g. JavaScript/TypeScript)

```bash
git clone https://github.com/juice-shop/juice-shop
cd juice-shop

bridge-cli --stage polaris --diagnostics \
  polaris.project.name="juice-shop" \
  polaris.branch.name="master" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  polaris.serverurl="https://polaris.blackduck.com"
```

#### Example: Java project requiring compilation with Maven

{% hint style="info" %}
Ensure you are using the correct JDK version required by your project before running the scan.
{% endhint %}

```bash
java --version   # verify the correct JDK is active
mvn --version    # verify Maven is installed

git clone https://github.com/webgoat/webgoat
cd webgoat

bridge-cli --stage polaris --diagnostics \
  polaris.project.name="webgoat" \
  polaris.branch.name="main" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  coverity.build.command="mvn install -DskipTests" \
  coverity.clean.command="mvn clean" \
  polaris.serverurl="https://polaris.blackduck.com"
```

#### Example: Java project requiring compilation with Gradle

```bash
java --version   # verify the correct JDK is active

git clone https://github.com/alkacon/opencms-core
cd opencms-core

bridge-cli --stage polaris \
  polaris.project.name="opencms-core" \
  polaris.branch.name="main" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  coverity.build.command="./gradlew build -x test" \
  coverity.clean.command="./gradlew clean" \
  polaris.serverurl="https://polaris.blackduck.com"
```

***

### Step 4 — Locate the SARIF Report

Once the scan completes, the `.sarif.json` report will be written inside your project directory under:

```
.bridge/Polaris SARIF Generator/report.sarif.json
```

For example, if you scanned `webgoat`:

```
webgoat/.bridge/Polaris SARIF Generator/report.sarif.json
```

This is the file you will upload to Mobb. See [Polaris Integration with Mobb](/mobb-user-docs/integrating-sast-findings/polaris.md) for next steps.

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/integrating-sast-findings/polaris/generating-a-polaris-sast-report.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.