CAST Highlight is a SaaS software intelligence platform that provides rapid portfolio analysis for application modernization, cloud migration, and open-source risk management.
The platform combines automated code inspection with business context surveys to deliver strategic insights across hundreds of applications within days.
What is CAST Highlight?
CAST Highlight sits at the intersection of software composition analysis and portfolio management.
While traditional SCA tools focus narrowly on vulnerability detection, CAST Highlight takes a broader view by assessing applications across multiple dimensions: cloud readiness, software composition risks, technical debt, and business value alignment.
The platform is designed for organizations managing large application portfolios who need to make informed decisions about modernization, migration, and retirement.
By analyzing source code alongside business context questionnaires, CAST Highlight provides a complete picture that technical metrics alone cannot deliver.
CAST differentiates from pure SCA tools by including cloud blockers identification, green IT metrics, and resiliency analysis.
This makes it particularly valuable for enterprises undertaking digital transformation initiatives.
Key Features
Portfolio-Scale Analysis
Analyze hundreds of applications rapidly:
- Scan entire portfolios in days, not months
- Automatic technology detection across 60+ languages
- Consistent scoring methodology across all applications
- Executive dashboards with drill-down capability
- Comparative analysis between applications
- Trend tracking over time
Software Composition Analysis
Identify and manage open-source risks:
- Component inventory with version tracking
- Known vulnerability mapping (CVE database)
- License compliance identification
- Risk scoring based on multiple factors
- Obsolescence and end-of-life detection
- SBOM generation in standard formats
Cloud Readiness Assessment
Evaluate applications for cloud migration:
- Cloud blockers identification (stateful components, file system dependencies)
- Platform-specific recommendations (AWS, Azure, GCP)
- Containerization readiness scoring
- Microservices transformation potential
- Refactoring effort estimation
Technical Debt Analysis
Understand codebase health:
- Code complexity metrics
- Maintainability scoring
- Dead code detection
- Architectural anti-pattern identification
- Remediation effort estimation
Installation and Setup
Agent-Based Scanning
CAST Highlight uses a lightweight agent to analyze source code:
# Download the CAST Highlight agent
curl -O https://download.casthighlight.com/agent/HighlightAgent.zip
unzip HighlightAgent.zip
# Configure the agent
cat > highlight-config.json << EOF
{
"applicationName": "my-application",
"companyId": "YOUR_COMPANY_ID",
"apiKey": "YOUR_API_KEY",
"sourceDir": "/path/to/source",
"technologies": ["Java", "JavaScript"]
}
EOF
# Run the scan
java -jar HighlightAgent.jar -config highlight-config.json
Command-Line Interface
# Install the CAST Highlight CLI
npm install -g @cast-highlight/cli
# Authenticate
cast-highlight configure --api-key YOUR_API_KEY --company-id YOUR_COMPANY_ID
# Scan a repository
cast-highlight scan \
--application "my-application" \
--source ./src \
--upload
# Generate SBOM
cast-highlight sbom \
--application "my-application" \
--format cyclonedx \
--output sbom.json
Chrome Extension
The CAST Highlight Chrome extension enables on-demand scanning while browsing repositories:
- Install the extension from the Chrome Web Store
- Navigate to a GitHub, GitLab, or Bitbucket repository
- Click the CAST Highlight icon in your browser toolbar
- View immediate security and risk analysis
- Export findings or add to your portfolio
Integration
GitHub Actions
name: CAST Highlight Analysis
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly Sunday midnight
jobs:
highlight-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Download CAST Highlight Agent
run: |
curl -O https://download.casthighlight.com/agent/HighlightAgent.zip
unzip HighlightAgent.zip
- name: Run CAST Highlight Scan
env:
HIGHLIGHT_API_KEY: ${{ secrets.CAST_HIGHLIGHT_API_KEY }}
HIGHLIGHT_COMPANY_ID: ${{ secrets.CAST_HIGHLIGHT_COMPANY_ID }}
run: |
java -jar HighlightAgent.jar \
--apiKey $HIGHLIGHT_API_KEY \
--companyId $HIGHLIGHT_COMPANY_ID \
--applicationName "${{ github.repository }}" \
--sourceDir . \
--upload
- name: Generate SBOM
run: |
java -jar HighlightAgent.jar sbom \
--apiKey ${{ secrets.CAST_HIGHLIGHT_API_KEY }} \
--applicationName "${{ github.repository }}" \
--format cyclonedx \
--output sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
GitLab CI
stages:
- analyze
cast-highlight:
stage: analyze
image: openjdk:17-slim
variables:
HIGHLIGHT_API_KEY: $CAST_HIGHLIGHT_API_KEY
HIGHLIGHT_COMPANY_ID: $CAST_HIGHLIGHT_COMPANY_ID
script:
- apt-get update && apt-get install -y curl unzip
- curl -O https://download.casthighlight.com/agent/HighlightAgent.zip
- unzip HighlightAgent.zip
- |
java -jar HighlightAgent.jar \
--apiKey $HIGHLIGHT_API_KEY \
--companyId $HIGHLIGHT_COMPANY_ID \
--applicationName $CI_PROJECT_NAME \
--sourceDir . \
--upload
- |
java -jar HighlightAgent.jar sbom \
--apiKey $HIGHLIGHT_API_KEY \
--applicationName $CI_PROJECT_NAME \
--format spdx \
--output sbom-spdx.json
artifacts:
paths:
- sbom-spdx.json
expire_in: 90 days
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE == "schedule"
REST API Integration
# Get application portfolio summary
curl -X GET "https://api.casthighlight.com/v1/portfolio/summary" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Company-Id: YOUR_COMPANY_ID"
# Retrieve application details
curl -X GET "https://api.casthighlight.com/v1/applications/{appId}" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Company-Id: YOUR_COMPANY_ID"
# Export SBOM via API
curl -X GET "https://api.casthighlight.com/v1/applications/{appId}/sbom?format=cyclonedx" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Company-Id: YOUR_COMPANY_ID" \
-o sbom.json
# Get open source risk report
curl -X GET "https://api.casthighlight.com/v1/applications/{appId}/opensource/risks" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "X-Company-Id: YOUR_COMPANY_ID"
When to Use CAST Highlight
CAST Highlight is the right choice when you need:
- Portfolio-level visibility across dozens or hundreds of applications
- Cloud migration planning with technical feasibility assessment
- Strategic decision support combining technical and business metrics
- Executive reporting for modernization initiatives
- SBOM generation with multiple export formats
- Quick insights without deep integration requirements
Consider alternatives if you:
- Need real-time CI/CD integration with build blocking (consider Snyk or Black Duck)
- Focus purely on vulnerability management without portfolio analysis
- Have a small number of applications that don’t justify portfolio tooling
- Require deep license compliance analysis (consider FOSSA or Black Duck)
CAST Highlight works best alongside operational SCA tools.
Use Highlight for strategic portfolio analysis and planning, while deploying tools like Snyk or Dependabot for day-to-day vulnerability detection in CI/CD pipelines.