Polaris Support Information

Supported platforms

Polaris APIs are compatible with any operating system and hardware that can connect to the Polaris server or APIs via HTTPS.

Browser support

The Polaris web UI can be accessed using:

Table 1. Browser support
Browser	Versions	Provider	Notes
Firefox	Latest and latest - 1	Versions supported by Mozilla
Google Chrome	Latest and latest - 1	Versions supported by Google
Microsoft Edge	Latest and latest - 1	Versions supported by Windows 10
Safari	Latest and latest - 1	Versions supported by Apple	"Prevent cross-site tracking" must be disabled.

Note: Internet Explorer is not supported.

Supported tools

Table 2. Supported tools
Tool	Supported version
Coverity	2024.9.1
Coverity Thin Client	2024.9.1
Bridge CLI Bundle	3.1.0
Bridge CLI Thin Client	3.1.0
Black Duck® Detect	9.10.1

Supported file types and tests

Table 3. Scan Support
Type	Description
Code Upload	Only scans using Coverity buildless mode, doesn't require access to the build to scan.
SCM	Only scans using Coverity buildless mode, doesn't require access to the build to scan.
CLI	Scans using Coverity buildless or CLI mode.

Table 4. SAST Language Support
Language	Language Versions	Code Upload (UI)	SCM Integration	CI via Bridge CLI (CLI)
Salesforce® Apex™		Supported	Supported	Supported
C/C++	C++23 C++20 C++98 C++03 C++11 C++14 C++17 C89 C99 C11	Not Supported	Not Supported	Supported
C#	Up to C# 12	Supported	Supported	Supported
Dart	Version Agnostic	Supported	Supported	Supported
Go	Go 1.21-1.22	Not Supported	Not Supported	Supported
Java	Up to Java 22	Supported	Supported	Supported
JavaScript	ECMAScript 2023	Supported	Supported	Supported
Kotlin	Kotlin 1.9.0-2.0	Not Supported	Not Supported	Supported
Objective-C/C++		Not Supported	Not Supported	Supported
PHP	Version Agnostic	Supported	Supported	Supported
Python	Python 3.x–3.12	Supported	Supported	Supported
Ruby	Matz's Reference Impl. (MRI) 1.9.2–3.2 and equivalents (via Breakman pro bundles into analysis kit)	Supported	Supported	Supported
Swift	Version Agnostic	Supported	Supported	Supported
TypeScript	TypeScript 1.0–5.2	Supported	Supported	Supported
Visual Basic	Up to Visual Basic 16	Not Supported	Not Supported	Supported

Note: Find the CWEs Coverity can identify in different languages here: Coverity Coverage for Common Weakness Enumeration (CWE).

Table 5. Infrastructure as code: Static Testing
Language	What is supported	Code Upload (UI)	SCM Integration	CI via Bridge CLI (CLI)
IAC	Platforms: AWS CloudFormation, Kubernetes, Terraform. Formats: HCL (Terraform), JSON, XML, YAML	Supported	Supported	Supported

Table 6. SCA Language and Package Manager Support
Package manager	Language	Test mode	Supported	Entry point	Supported detectors, requirements	Accuracy
Apache Ivy	Various	Code upload or SCM integration	Not Supported
Apache Ivy	Various	Bridge CLI (CI/CLI)	Supported	Ivy Build Parse	Ivy Build Parse Files: ivy.xml, build.xml	Low
BitBake	Various	Code upload or SCM integration	Not Supported
BitBake	Various	Bridge CLI (CI/CLI)	Supported	Bitbake CLI	Bitbake CLI Properties: Package names Files: build env script Executables: bash	High
Cargo	Rust	All	Supported	Cargo Lock	Cargo Lock Files: Cargo.lock, Cargo.toml	High
Carthage	Various	All	Supported	Carthage Lock	Carthage Lock Files: Cartfile, Cartfile.resolved	High
CocoaPods	Objective-C	All	Supported	Pod Lock	Pod Lock Files: Podfile.lock	High
Conan	C/C++	Code upload or SCM integration	Supported	Conan Lock	Conan Lock Files: conan.lock	High
		Bridge CLI (CI/CLI)	Supported	Conan Lock	Conan Lock Files: conan.lock	High
				Conan Lock	Conan CLI Files: conanfile.txt or conanfile.py Executables: conan	High
				Conan CLI	Conan CLI Files: conanfile.txt or conanfile.py Executables: conan	High
Conda	Python	Code upload or SCM integration	Not Supported
Conda	Python	Bridge CLI (CI/CLI)	Supported	Conda CLI	Conda CLI Files: environment.yml. Executable: conda	High
CPAN	Perl	Code upload or SCM integration	Not Supported
CPAN	Perl	Bridge CLI (CI/CLI)	Supported	Cpan CLI	Cpan CLI File: Makefile.PL Executables: cpan	High
CRAN	R	All	Supported	Packrat Lock	Packrat Lock File: packrat.lock	High
Dart	Dart	Code upload or SCM integration	Supported	Dart PubSpec Lock	Dart PubSpec Lock Files: pubspec.yaml, pubspec.lock	High
		Bridge CLI (CI/CLI)	Supported	Dart CLI	Dart CLI Files: pubspec.yaml, pubspec.lock Executables: dart, flutter	High
				Dart CLI	Dart PubSpec Lock Files: pubspec.yaml, pubspec.lock	High
				Dart PubSpec Lock	Dart PubSpec Lock Files: pubspec.yaml, pubspec.lock	High
Go Dep	Golang (Go)	All	Supported	GoDep Lock	GoDep Lock Files: Gopkg.lock	High
Gogradle	Golang (Go)	All	Supported	GoGradle Lock	GoGradle Lock Files: gogradle.lock	High
Go Modules	Golang (Go)	Code upload or SCM integration	Not Supported
Go Modules	Golang (Go)	Bridge CLI (CI/CLI)	Supported	GoMod CLI	GoMod CLI Files: go.mod Executables: go	High
Go Vendor	Golang (Go)	All	Supported	Go Vendor	Go Vendor Files: vendor/vendor.json	High
Go Vendor	Golang (Go)	All	Supported	GoVndr CLI	GoVndr CLI Files: vendor.conf	High
Gradle	Various	Code upload or SCM integration	Supported	Gradle Project Inspector	Gradle Project Inspector Files: build.gradle	Low
		Bridge CLI (CI/CLI)	Supported	Gradle Native Inspector	Gradle Native Inspector Files: build.gradle or build.gradle.kts Executables: gradlew or gradle	High
		Bridge CLI (CI/CLI)	Supported	Gradle Native Inspector	Gradle Project Inspector Files: build.gradle	Low
Hex	Erlang	Code upload or SCM integration	Not Supported
Hex	Erlang	Bridge CLI (CI/CLI)	Supported	Rebar CLI	Rebar CLI Files: rebar.config Executables: rebar3	High
Lerna	Node.js	Code upload or SCM integration	Not Supported
Lerna	Node.js	Bridge CLI (CI/CLI)	Supported	Lerna CLI	Lerna CLI Files: lerna.json, package.json Executables: Lerna, and one of the following: package-lock.json npm-shrinkwrap.json yarn.lock.	High
Maven	Various	Code upload or SCM integration	Supported	Maven Project Inspector	Maven Project Inspector Files: pom.xml	Low
		Bridge CLI (CI/CLI)	Supported	Maven CLI	Maven CLI Files: pom.xml Executables: mvnw or mvn	High
				Maven CLI	Maven Project Inspector Files: pom.xml	Low
				Maven Wrapper CLI	Maven Wrapper CLI Files: pom.groovy Executables: mvnw or mvn	High
				Maven Wrapper CLI	Maven Project Inspector Files: pom.xml	Low
npm	Node.js	Code upload or SCM integration	Supported	NPM Package Lock	NPM Package Lock Files: package-lock.json. For better results, include a package.json also.	High
		Code upload or SCM integration	Supported	NPM Package Json Parse	NPM Package Json Parse Files: package.json	Low
		Bridge CLI (CI/CLI)	Supported	NPM Shrinkwrap	NPM Shrinkwrap Files: npm-shrinkwrap.json. For better results, include a package.json also.	High
					NPM Package Lock Files: package-lock.json. For better results, include a package.json also.	High
					NPM CLI Files: node_modules, package.json Executables: npm	High
					NPM Package Json Parse Files: package-lock.json	Low
				NPM Package Lock	NPM Package Lock Files: package-lock.json. For better results, include a package.json also.	High
					NPM CLI Files: node_modules, package.json Executables: npm	High
					NPM Package Json Parse Files: package.json	Low
				NPM CLI	NPM CLI Files: node_modules, package.json Executables: npm	High
				NPM CLI	NPM Package Json Parse Files: package.json	Low
				NPM Package Json Parse	NPM Package Json Parse Files: package.json	Low
NuGet	C#	All	Supported	NuGet Solution Native Inspector	NuGet Solution Native Inspector Files: A solution file with a .sln extension	High
				NuGet Solution Native Inspector	NuGet Project Inspector Files: A project file with the .csproj or .sln extension	Low
				NuGet Project Native Inspector	NuGet Project Native Inspector Files: A project file with the csproj, .fsproj, .vbproj, .asaproj, .dcproj, .shproj, .ccproj, .sfproj, .njsproj, .vcxproj, .vcproj, .xproj, .pyproj, .hiveproj, .pigproj, .jsproj, .usqlproj, .deployproj, .msbuildproj, .sqlproj, .dbproj, or .rproj extension	High
				NuGet Project Native Inspector	NuGet Project Inspector Files: A project file with the .csproj or .sln extension	Low
Packagist	PHP	All	Supported	Composer Lock	Composer Lock Files: composer.lock, composer.json	High
PEAR	PHP	Code upload or SCM integration	Not Supported
PEAR	PHP	Bridge CLI (CI/CLI)	Supported	Pear CLI	Pear CLI Files: package.xml Executables: pear	High
pip	Python	Code upload or SCM integration	Supported	Pipfile Lock	Pipfile Lock Files: Pipfile, Pipfile.lock	High
		Code upload or SCM integration	Supported	PIP Requirements File Parse	PIP Requirements File Parse Files: requirements.txt	Low
		Bridge CLI (CI/CLI)	Supported	Pipenv Lock	Pipenv Lock Files: Pipfile or Pipfile.lock Executables: python or python3, and pipenv	High
					PIP Native Inspector Files: setup.py, or one or more requirements.txt Executables: python and pip, or python3 and pip3	High
					Pipfile Lock Files: Pipfile, Pipfile.lock	High
				PIP Native Inspector	PIP Native Inspector Files: setup.py, or one or more requirements.txt Executables: python and pip, or python3 and pip3	High
				PIP Native Inspector	Pipfile Lock Files: Pipfile, Pipfile.lock	High
				Pipfile Lock	Pipfile Lock Files: Pipfile, Pipfile.lock	High
				PIP Requirements File Parse	PIP Requirements File Parse Files: requirements.txt	Low
pnpm	Node.js	All	Supported	Pnpm Lock	Pnpm Lock Files: pnpm-lock.yaml, package.json.	High
Poetry	Python	All	Supported	Poetry Lock	Poetry Lock Files: Poetry.lock, pyproject.toml	High
RubyGems	Ruby	All	Supported	Gemfile Lock	Gemfile Lock Files: Gemfile.lock	High
				Gemfile Lock	Gemspec Parse Files: A gemspec file with the .gemspec extension	Low
				Gemspec Parse	Gemspec Parse Files: A gemspec file with the .gemspec extension	Low
SBT	Scala	Code upload or SCM integration	Not Supported
SBT	Scala	Bridge CLI (CI/CLI)	Supported	Sbt Native Inspector	Sbt Native Inspector Files: build.sbt Plugins: Dependency Graph	High
Swift	Swift	Code upload or SCM integration	Supported	Swift Lock	Swift Lock Files: Package.swift, Package.resolved	High
		Bridge CLI (CI/CLI)	Supported	Swift Lock	Swift Lock Files: Package.swift, Package.resolved	High
				Swift Lock	Swift CLI Files: Package.swift Executables: swift	High
				Swift CLI	Swift CLI Files: Package.swift Executables: swift	High
Xcode	Swift	All	Supported	Xcode Workspace Lock	Xcode Workspace Lock Directories: *.xcworkspace	High
				Xcode Workspace Lock	Xcode Project Lock Directories: *.xcodeproj Files: Package.resolved	High
				Xcode Project Lock	Xcode Project Lock Directories: *.xcodeproj Files: Package.resolved	High
Yarn	Node.js	All	Supported	Yarn Lock	Yarn Lock Files: yarn.lock, package.json	High

Note: Package manager version requirements are only applicable to tests created with Bridge CLI (when testing relies on/requires access to executables). N/A in the table below indicates buildless capture is used to test projects that depend on the package manager.

Table 7. SCA Package Manager Versions (latest)
Package manager	Latest supported version
Apache Ivy	N/A
BitBake	2.6.0 (Yocto 4.3.2)
Cargo	N/A
Carthage	N/A
CocoaPods	N/A
Conan	2.0.14
Conda	4.10.3
CPAN	Cpan Script 1.678 CPAN.pm 2.36 Cpanm 1.7047
CRAN	N/A
Dart	Dart 3.1.2 Flutter 3.13.4
Go Dep	N/A
Gogradle	N/A
Go Modules	1.20.4
Go Vendor	N/A
Gradle	8.2.1
Hex	Rebar 3.20.0
Lerna	6.6.2
Maven	3.8.1
npm	Node v20.5.1 npm 9.8.1
NuGet	NuGet 6.2 .NET runtime is not required with 7.13.0
Packagist	N/A
PEAR	1.10.12
pip	23.1.2
pnpm	8.9.2
Poetry	N/A
RubyGems	2.0.0
SBT	1.5.0
Swift	5.6.1
Xcode	N/A
Yarn	4.1.0

Source code upload limitations

Limits in the table below apply when you upload source code to start SAST and SCA tests.

Table 8. Source code upload limitations
Type	Size limits
Single file	1 GB
ZIP file	2 GB
Maximum file count	200,000 files

Note: For code uploads (when you start a test by uploading source code manually), filenames can include letters, digits, and the characters “.”, “-” and “_”. No other characters or spaces are allowed.

Supported Source Code Management (SCM) systems

Support matrix for SCM repositories that can integrate a single repository integrated into Polaris. Bulk onboarding is only supported for GitHub, see Prerequisites in how to Integrate Multiple SCM Repositories.

Table 9. Supported SCM systems
SCM	Offering	Plan/Subscription/Version	Deployment type	URL	Polaris support
Github	Github Standard	Github Free Github Pro Github free for Organizations Github Team	Cloud	https://github.com	YES
	GitHub Enterprise Cloud		Cloud	https://github.com	YES
	GitHub Enterprise Server	Supported Versions:3.11-3.12	Self -Hosted	<variable>	YES
GitLab	GitLab SaaS	Free Premium Ultimate	Cloud	https://gitlab.com	YES
GitLab	GitLab self-managed (self-hosted)	Core Premium Ultimate Supported Versions: 15.11-16.0	on-premises or cloud	<variable>	YES
Azure DevOps			Cloud	<variable> Example: https://<<username>>@dev.azure.com/<<username>>/<<projectName>>/_git/<<projectName>>	YES
Bitbucket			Cloud	https://bitbucket.org/	YES
Bitbucket		Supported Versions: 8.9 - 8.19	Self-hosted		YES

Supported third-party tools

You can import SAST and SCA issue data from any of the following third-party tools.

Note: You can upload one file (up to 2GB) for each external analysis test. Each file you upload can only include one type of issue data (SAST or SCA).

Table 10. Supported third-party tools
Tool	Results	File format
Android Lint	SAST	XML or Zip
Brakeman	SAST	JSON
Black Duck Binary Analysis	SCA	CSV or JSON
Checkmarx	SAST	XML
Checkstyle	SAST	XML
Clang	SAST	ZIP Note: Clang outputs one HTML file per checked source file. The ZIP you upload can include one or more HTML files.
Clippy	SAST	JSON
CodePeer	SAST	CSV
Coverity	SAST	JSON
CppCheck	SAST	XML
DefenseCode ThunderScan	SAST	JSON
Dependency-Check	SCA	XML
ErrCheck	SAST	TXT
error-prone	SAST	TXT
ESLint	SAST	JSON
Fortify	SAST	FPR
FxCop	SAST	XML
Gendarme	SAST	XML
GitLab Security	SAST	JSON
GoCyclo	SAST	TXT
GoLint	SAST	TXT
GoSec	SAST	TXT
HCL AppScan Source	SAST	OZASMT
HCL AppScan on Cloud (ASoC)	SAST	XML
HCL AppScan on Cloud (ASoC)	SCA	XML
Helix QAC	SAST	CVS
IneffAssign	SAST	TXT
JFrog Xray	SCA	JSON
JLint	SAST	TXT
JSHint	SAST	TXT
Microsoft Code Analysis	SAST	TXT or TSV
MobSF	SAST	JSON
MobSF Scan	SAST	JSON
NDepend	SAST	XML
OCLint	SAST	XML
Parasoft JTest/C++Test/dotTest	SAST	XML
PHP_CodeSniffer	SAST	XML
PHPMD	SAST	XML
PMD	SAST	XML
Pylint	SAST	JSON
Rapid Scan SAST (Sigma)	SAST	JSON
Retire.js	SCA	JSON
SafeSQL	SAST	TXT
SARIF	SAST	JSON
SATE	SAST	XML
Scalastyle	SAST	XML
SCARF	SAST	XML
SciTools Understand	SAST	CSV
Semgrep	SAST	JSON
Snyk Open Source	SCA	JSON
SonarQube Generic Issue Import Format	SAST	JSON
SpotBugs/FindBugs	SAST	XML
Software Risk Manager	SAST	XML
Software Risk Manager	SCA	XML
Staticcheck	SAST	JSON
TFLint	SAST	SARIF JSON
TruffleHog	SAST	JSON
Veracode	SAST	ZIP or XML
Veracode	SCA	ZIP or XML
Vet	SAST	JSON
WPScan	SCA	JSON
ZPA	SAST	JSON