Manual

Sensei can also be run from a headless environment, this is useful when Sensei has to be integrated inside the build pipeline. To do this Sensei runs in the IntelliJ headless mode.

How to run IntelliJ from the command line can be found on the JetBrains documentation.

Usage

Before running, make sure that the IntelliJ instance that will be used has the Sensei plugin installed, has the neccesary cookbooks configured and has an inspection profile that includes the recipes. All of these things can be done from within IntelliJ.

Note

The project://.sensei location is checked and loaded if it contains a cookbook.

If all the requirements are met, the headless scan can be started by using following command: idea inspect /path/to/target/project /path/to/inspection/xml/file path/to/result/output/folder

Getting an inspection profile

The headless scan requires an inspection profile, this is a file that keeps information on what inspections are enabled, the scope of the analysis and the severity. IntelliJ uses these to know what analysis it has to run.

By default every IntelliJ project has a project default inspection profile (project_folder/.idea/inspectionProfiles/Project_Default.xml). This profile will contain all inspections that are active for said project, including the Sensei recipes (because they are loaded as inspections).

When running the headless scanner with this profile, it will include results for the standard IntelliJ inspections. A separate profile can be created to disable all standard inspections and limit the scan to just Sensei recipes.

Creating a Sensei only inspection profile

Creating a new inspection profile with only Sensei inspections can be done in IntelliJ IDEA | Preferences | Editor | Inspections (macOS) or File | Settings | Editor | Inspections (Windows and Linux).

../_images/project_default.png

Duplicate the Project Default profile: press the cog wheel icon and click Duplicate.... Once duplicated, disable all the other inspections whilst leaving the ones under Sensei by Secure Code Warrior|trademark| enabled.

../_images/sensei_inspections.png

When running the headless scan, be sure to choose the profile with the Sensei inspections. The newly created profile can also be exported so it can be used from another location and not just from the project directory.

Output

Running Sensei headlessly will result in two types of output, one created by IntelliJ (xml by default) and an output.json file created by Sensei.

The output.json created by Sensei includes the scan results, what recipes are used to scan and some metadata information like a timestamp and on what branch the scan happened.

{
   "scan_results": [
      {
            "recipe_id": "c982ea81-2447-4d25-801d-151825edd924",
            "cookbook_id": "5225232b-e0cb-49fd-82df-463db3a3fdd1",
            "marking_count": 2,
            "compliant_marking_count": 0
      }
   ],
   "metadata": {
      "schema_version": "1.0.0",
      "project_name": "DemoProject",
      "branch": "main",
      "timestamp": 1616146601
   },
   "recipe_information": [
      {
            "cookbook_id": "5225232b-e0cb-49fd-82df-463db3a3fdd1",
            "recipe": [
               {
                  "recipe_id": "c982ea81-2447-4d25-801d-151825edd924",
                  "severity": 1,
                  "is_enabled": true,
                  "sub_category": "",
                  "recipe_name": "Don't use System.out.println use a logger instead",
                  "category": ""
               }
            ],
            "cookbook_location": "project://.sensei",
            "cookbook_name": "project"
      }
   ]
}