Understanding Coverity on Polaris

Note: This platform is renamed Coverity on Polaris. Unless otherwise specified, references to Polaris or Polaris Software Integrity Platform in this documentation are referring to Coverity on Polaris.

Coverity on Polaris provides a comprehensive, aggregated view of application security with the ability to examine and manage individual issues.

Coverity on Polaris is a cloud service specifically tailored to companies that need to do the following:

  • Scan code in the cloud through an enterprise-scale service
  • Incorporate application security testing into the DevOps pipeline.
  • Integrate results from multiple Synopsys tools into a single report, using Coverity on Polaris Reporting Platform, which can incorporate results from Black Duck, Coverity, Seeker, and Managed Services Portal.

It contains Coverity, a fast, accurate, and highly scalable static analysis (SAST) solution. (See Understanding Coverity for more information.)

Automation

Coverity on Polaris allows your DevOps team to automate SAST testing by using APIs or by using plug-in integrations with common tools, such as GitHub, Bamboo, Jenkins, Jira, and Azure DevOps.

Access to Data

The Coverity on Polaris web interface allows everyone in your organization to share an aggregated view of application security with the ability to examine and manage individual issues.

  • Managers, security teams, and other interested parties can see the current status, historical trends, and recent test results. This allows everyone to see the security posture of any application or of the entire organization.
  • Developers can view issues directly in their development environments using a Code Sight plugin, which means many issues are fixed before code gets checked in, without slowing the speed of development.

Deployment types

Coverity on Polaris offers two deployment configurations. The main difference is where the Coverity analysis engine runs:

  • In the cloud (central analysis): The Coverity Analysis engine runs on the Polaris server in the cloud. Coverity on Polaris offers a reduced set of Coverity analysis commands, but it simplifies SAST by making configuration optional. This is a typical deployment.
  • On the build server (local analysis): Coverity on your build server keeps SAST analysis onsite and uploads the results to the Polaris server. See the Coverity Documentation for details. (This deployment is different from a standard Coverity installation, which employs Coverity Connect for displaying issue data, rather than the Polaris server.)

Either approach can take full advantage of the benefits available through Coverity on Polaris:

  • Use the services available through Polaris web interface, such as issue lifecycle management and analytics. You can group your issues by project or app and see the total number of issues according to severity level (critical, high, medium, low). You can triage your issues, assign ownership to team members, and export them as Jira issues.
  • Incorporate SAST testing into the CI/CD pipeline and speed up the process of DevSecOps.
  • Use a Code Sight plug-in to connect IDEs with your Polaris server so developers can easily find and remove vulnerabilities before committing code.

Support and Compatibility

  • Support for platforms, languages and compilers is different for Coverity on Polaris, compared to on-premises Coverity. A smaller number of languages and platforms is supported for Coverity on Polaris. See Coverity support matrixes for additional information.
  • Coverity on Polaris supports most of the recent versions of Coverity, usually versions that are less than a year old.