Kiuwan provides SAST and SCA solutions that use an on-premise standalone Java application for the scanning of source code, then sends the results file to the Kiuwan cloud for augmentation and additional analysis. This Java scanner is called the Kiuwan Local Analyzer (KLA). The KLA can be run as a headless CLI tool, or with a GUI.
In addition, Kiuwan provides the option of an IDE Plug-In, from which you can initiate not only KLA scans but also scans from other AST tools. In this post, we’ll compare these two options and discuss when you might want to use each.
Pros of using the Kiuwan Local Analyzer
The Kiuwan Local Analyzer is a Java standalone application that is installed directly on your local machine or server from which you can launch scans of your source code. Kiuwan is designed in a way that multiple scans can be launched in parallel. To do so, you only need to start multiple instances of the Local Analyzer at the same time. These instances can be either in GUI mode or via CLI.
Kiuwan encourages developers to launch scans directly from the Kiuwan Local Analyzer.The reasons for this recommendation are pretty straightforward:
- Initiating scans directly from an IDE has the potential to become a blocking event – tying up IDE resources while the scan is performed. There are agents that are designed to be non-blocking and run parallel scans, or in parallel with in-progress development.
- The code that is being scanned from the IDE may not have been saved or committed to repo yet. This is not a significant issue, generally, but tends to indicate scanning on code that is not complete (scanning on the fly on half-baked files) and begs the question of “why not just finish your thought and get your code stable, save/pull request, then scan at some good stopping point?”.
- Encouraging scans outside the IDE encourages developers to save their work and stay in the development mindset. It also allows Kiuwan to offload the actual scanning to processes outside of the IDE but also potentially off of the developer machines entirely.
Running a SAST/SCA scan marks a change in thinking and flow — changing from a development mindset, past a debug mindset on to something that is more akin to a testing/optimization mindset. Each change in mindset presents as a cost to the development’s speed and flow.
Pros of using the IDE Plug-In
There is definitely value to having some amount of SAST/SCA available in the IDE.
All Kiuwan IDE plug-ins (for Eclipse, IntelliJ and Visual Studio) pull scan results into IDE viewer panels. Developers can quickly get to the individual lines that require attention with a single click.
Static application security testing (SAST) with Kiuwan IDE Plug-In Viewer mode
With the Kiuwan Eclipse plug-in in Analyzer mode, it’s possible to start a scan directly from the IDE, which saves the time that would otherwise be required to start the KLA and upload the code to it.
In Conclusion
Kiuwan encourages developers not to launch scans directly from the IDE but rather from sidecar agents such as the Kiuwan Local Analyzer. However, using the IDE plug-in also has its benefits, making it easier for developers to fix found vulnerabilities.
Work smarter, not harder — and let Kiuwan help you. And if you want to request a trial of the Kiuwan Local Analyzer or the IDE Plug-In, contact our sales team today!
