Contrast Security Plugin
Write secure code faster
Contrast optimally chooses from several application security testing approaches (IAST, SAST, SCA) according to the vulnerability type to produce accurate security results.
Leverage security instrumentation from Contrast to:
- get accurate vulnerability results
- automate security testing through your existing functional tests
- obtain clear, concise, and actionable remediation guidance
Via agents (tiny files that live with your application), Contrast embeds security sensors in the packaged binary upon application startup.
Data flow through the application, in conjunction with other important runtime context such as...
- the entirety of data and control flows
- internal logic
- configuration and architecture
- presentation view
- libraries and frameworks
- application server
activates an intelligent pattern-matching engine that produces highly accurate security insights, a technology called interactive application security testing (IAST).
Getting Set Up
- A Contrast Security account. You can create a free one here for Contrast Community Edition. Supported languages:
- Free: Java, .NET Core
- Paid: Node.JS, Python, Ruby, .NET Framework
- Follow onboarding instructions in the installation wizard within the Contrast UI. Docs can be found here.
- Run functional tests to trigger data flow through your application (and thus the IAST engine).
- Authenticate to your Contrast account via the extension settings page (see section below).
- Navigate to the Contrast view in the Activity bar (left hand side of VS Code editor). Click "Test Connection" and then "Refresh" to get a list of vulnerabilities in your application.
- It is recommended that you turn off autoscrolling in your output panel by selecting the lock.
More plugin documentation can be accessed in Contrast documentation.
Main view (list of vulnerabilities in your application)
Overview of the vulnerability
Security risk introduced by the vulnerability
Details of the vulnerability
HTTP Request exposing the vulnerability
Concise and actionable guidance for vulnerability remediation
Developer sandbox (private vulnerability views) enabled by:
- Filtering on vulnerability metadata: status, tags, environment, detection date, application
- Filtering on session metadata: committer, commit hash, branch, git tag, repository, test run, version, build number
You may obtain values for the following fields from your Contrast portal section "Your Account".
API Key: account authentication token
Organization ID: unique Contrast organization identifier
URL: Contrast host instance
Authorization Header: security mechanism to authenticate packet origin
Get in Touch
Drop a note to firstname.lastname@example.org for any questions, comments, and feedback!