Skip to main content
availability

Package: Invicti AppSec Enterprise (on-premise, on-demand)

Parasoft SAST

Invicti AppSec supports Parasoft as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and import Parasoft scan results.

Parasoft provides comprehensive static analysis and code quality solutions for Java applications, including Jtest, dotTEST, and C/C++test.

warning

Parasoft is an import-only scanner. Scan results are imported from Parasoft report files via the Kondukto CLI tool (KDT) or file import. No direct connection to a Parasoft server is required.

Prerequisites

Before starting the integration, ensure you have the following:

  • A Parasoft scan report file (XML format) generated from a Parasoft scan
  • The Kondukto CLI tool (KDT) installed and configured
info

Since Parasoft is an import-only integration, no API Token, URL, or connection credentials are needed. You will import scan results using the KDT CLI or the Import feature.

Step 1: Navigate to Integrations

From the left sidebar menu, click on Integrations.

Step 2: Select the SAST Tab

On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).

  Select the SAST Tab   Select the SAST Tab

Step 3: Find and Activate Parasoft

Scroll through the list of SAST scanners to find Parasoft.

  • If Parasoft is not activated, you will see an "Activate" button. Click it to enable the integration.
  • If Parasoft is already activated, you will see a toggle switch in the ON position and a "Deactivate" button.
info

The scan method badges on the Parasoft card show Import and KDT, which means scan results are imported through file import or the Kondukto CLI tool (KDT). Parasoft supports Java projects.

info

Parasoft does not have a gear icon for connection settings since it is an import-only scanner. No configuration is needed beyond activation.

Step 4: Import Scan Results

After activating Parasoft, import scan results using one of the following methods:

Method 1: Import via KDT CLI

Use the Kondukto CLI tool to import Parasoft scan results:

kdt scan -p <project-name> -t parasoft -b <branch-name> -f <path-to-parasoft-report.xml>

Example:

kdt scan -p MyProject -t parasoft -b main -f ./reports/parasoft-results.xml

Method 2: Import via API

Use the Invicti AppSec API to programmatically import scan results as part of your CI/CD pipeline.

Step 5: Verify Import

After importing, verify that the scan results appear correctly:

  • Check the Scans page for the newly imported scan.
  • Review the Vulnerabilities tab to confirm findings were imported successfully.
  • Verify severity levels and vulnerability details are accurate.

Summary

StepAction
1Navigate to Integrations from the sidebar
2Select the SAST tab under Scanners
3Find Parasoft and click Activate (if not already active)
4Import results via KDT CLI or API
5Verify imported results in the project's Scans and Vulnerabilities sections

Create a Scan

info

Parasoft is an import-only scanner. It does not appear in the project scanner dropdown and cannot be configured for automated scanning from the Invicti AppSec interface. Scan results must be imported using one of the methods described in Step 4 above.

Import via KDT CLI

Use the Kondukto CLI tool to import Parasoft scan results as part of your CI/CD pipeline:

kdt scan -p <project_name> -t parasoft -b <branch_name> -f <path-to-parasoft-report.xml>

Example:

kdt scan -p MyProject -t parasoft -b main -f ./reports/parasoft-results.xml

Troubleshooting

Import Issues

  • Invalid XML File: Ensure the file is a valid Parasoft XML report format. Corrupted or incomplete files will fail to import.
  • KDT Connection: Verify the KDT CLI is properly configured with a valid API token and can reach the Invicti AppSec server.
  • Project Not Found: Ensure the project name specified in the KDT command matches an existing project in Invicti AppSec.
  • Unsupported Format: Only Parasoft XML report format is supported. Ensure you are exporting results in the correct format.

Result Issues

  • Missing Findings: Ensure the Parasoft scan completed successfully before exporting the XML report.
  • Incorrect Severity Mapping: Severity mappings are based on Parasoft's classification. Review Parasoft's rule configuration if severity levels appear incorrect.

Best Practices

  • Automate Imports: Integrate KDT scan imports into your CI/CD pipeline for consistent and automated result tracking.
  • Use Consistent Report Format: Always export Parasoft results in the standard XML format for best compatibility.
  • Consistent Naming: Use consistent project and branch naming between Parasoft and Invicti AppSec for accurate tracking.
  • Regular Scans: Schedule regular Parasoft scans and import results to maintain up-to-date vulnerability data.

Limitations

  • Import-Only: Parasoft is an import-only scanner. Invicti AppSec does not trigger Parasoft scans directly.
  • XML Format Required: Only Parasoft XML report format is supported for import.
  • No Real-Time Sync: Results are imported as point-in-time snapshots. There is no continuous synchronization with Parasoft.
  • Java Focus: Parasoft integration primarily supports Java-based projects (Jtest).

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?