When the source code has been delivered (see Application onboarding without Fast Scan - Step-by-step onboarding - Add a new version and deliver source code) it should be validated before it is accepted for analysis. This section explains how to achieve this.

Typically issues at this stage are due to missing files and other deficiencies that result in an incomplete source code delivery. Resolution includes either a request for the missing component or the decision (wherever possible) to proceed with a redefined analysis boundary that excludes the undelivered components.

Why is it important?

  • avoid time consuming rework and delay due to incomplete delivery
  • improve accuracy of analysis
  • ensure consistency with analysis scope (application boundary)


Check execution message

When all actions have been completed, you should check the Job Progress panel for a "success" message. A success message indicates that the steps have been processed correctly and completed without error. Any other message means that the version has not been added correctly and you should investigate why this is using the logs. Even if you have a "success" message, CAST highly recommends that you also investigate the logs to check for warning messages.

Interface in ≥ 2.9

Interface in older releases (≤ 2.8)



If some steps have failed or there are errors, the status message will indicate this:


If you manually stop the process the status will also indicate this:

Note that if the Progress window is not visible, you can access it by clicking the View last action outcome option in the Console window:

Check status

You should ensure that the status of the version is set to Delivered in the Version Management screen:

Check logs

To check the logs, you can click the View log option in the Job Progress panel for each individual step that has been actioned:

Interface in ≥ 2.9

Click to enlarge

Click to enlarge

Interface in older releases (≤ 2.8)

Click to enlarge

The log will be displayed in Summary mode:

Click to enlarge

Switch to Content mode to view the actual log file:

Click to enlarge

Logs can be downloaded to file using the download button while in Content mode:

Click to enlarge

Check source code organization details

Move to the Console screen if you are not already there:

Locate the Application and click it to access the Application - Overview page:

Scroll to the Overview > Source code organization section. The displayed diagram is based on an initial evaluation of the content of your source code delivery and this should be used only to help you validate the delivery.

All links between blocks are based on supposition only. Final architecture from an analysis may be different.

Check version reports (delivery alerts) and exclusions

To check what has actually been delivered in the version and what has been excluded from analysis, use the Version details page. Move to the Console screen if you are not already there:

Locate the Application and click it to access the Application - Overview page:

Click the Versions icon in the left panel to access the Application - Versions page:

Click the version in the list that you have just delivered and check the reports (this includes information about the files that have been delivered in the source code ZIP file and any delivery alerts that may have been raised). For example:

Click to enlarge

What should you do if you encounter delivery alerts?

The Alerts section lists any alerts that occurred during the creation of the version and the upload of the source code - i.e the contents are scanned and any issues are reported:

Click the + icon to expand the alert message:

Alerts come in various different types (non-exhaustive list):

Undefined variableA variable has been discovered in the source code in the source package. Console cannot detect a value for this variable and therefore an alert has been created.
Missing projectA reference to a project, library file, folder or resource has been discovered in the source code package. Console cannot detect this specific item anywhere in the source code package and therefore an alert has been created.
Missing library file
Missing folder
Missing resource
Please note that if you exclude a folder and subsequently Console finds a reference to the excluded folder, then an Alert will be generated.  If you absolutely need to exclude the folder and want to avoid an alert, you can exclude the folder contents only using a specific Regular Expression:

For example, you have a subfolder entitled "unittests" that you must exclude, however, other code references this folder and as such an Alert will be generated during the source code scan when the version is created. Use forward slashes around the folder name in your Regular Expression to force Console to ignore the contents of the folder but keep the folder itself:


Alerts generally indicate that the source code is incomplete, that there is a configuration issue or simply that there is something wrong in the source code. If these alerts are not dealt with and the Version is accepted, then there is a risk that the source code analysis will be erroneous or may not even complete. It is up to you to manage these alerts:

  • some can be easily fixed by:
    • altering the source code package configuration (for example the root folder may be incorrect)
    • by including the missing items in the source code ZIP file
  • some may be more difficult to fix and you may need to alter your original source code

Check extensions

Extensions are automatically installed for EVERY single source code Version you deliver - this means that each Version will have a specific set of extensions enabled and installed, tailored to the source code that needs to be analyzed. Console will also automatically install extensions it thinks are required, based on the initial "scan" of the source code uploaded in the ZIP file. You should therefore check to ensure that all the extensions you require are installed using the Included tab in the Application - Extensions screen. If you think additional extensions are required, use the Available tab to add more:

Accepting/Rejecting the delivery


When any issue is detected and/or unresolved questions are raised, the analysis process should be halted as the delivery cannot be accepted until these issues are fully resolved. The admin should therefore reject the delivery using the Version details page:

Click to enlarge

When the delivery is rejected, Console does not automatically notify all those involved of the rejection (notifications can be enabled on a per-user basis, see AIP Console - User Profile options). Moreover there is no justification as to why this has occurred. CAST therefore recommends that when a delivery is rejected, the admin notifies (via email) any others involved in the version delivery about the rejection, providing a reason and possible remediation actions that may be required before a a new delivery.


Accepting the delivery is a two step process that results in the transfer of the delivered source code into the Deployment folder, and sets the version as "current", ready for analysis. Use the Version details page to first accept the version:

Click to enlarge

Ensure this action is successful and that the version's status changes to Accepted:

Click to enlarge

Then set the version as current (i.e. will be used for any subsequent analysis):

Again ensure that the action is successful (the status will remain at Accepted) and that the green icon is displayed for the version indicating that it is now "current":

Note that:

  • The Accept and Set as current version actions can be run together using just the Set as current version action, which also includes Accept (see Version details page).
  • If for any reason, the delivery is rejected following the set as current version, the source code will not be removed from the Deployment folder until a new version is delivered and accepted/set as current version.

What next?

See Application onboarding without Fast Scan - Step-by-step onboarding - Review analysis configuration and execution.