Blind Audit (Import and Export Data)
Use Cases
The “Blind” Audit mode could be used:
- On M&As where the target company is not willing to share the code
- In large-scale software development different teams use local copies of codebases or are unwilling to share a set of code repositories with the entire software development department.
In both cases, the feature facilitates the sharing of source code assessment without sharing the code.
Blind Audit Flow
The methodology consists of four steps:
- The local team (or group of developers) installs the c2m application on a personal computer or a server and scans its codebase(s). The freemium version could be used, applying the “blind” audit feature on the license.
- The local group outputs analysis results selectively, which means they can export results for a subset of products/workspaces. The exported results are password-protected and encrypted.
- Scan results are imported into the central organization's (or buyer's) c2m installation (licensed version required).
- The results are displayed in the main dashboard. Note: in this case, the code preview component cannot be used (code is not included with the exported data).
Prerequisites for Source Code Provider (Seller)
- Install Docker Engine with 10+ GB RAM and 20+ GB disk space for containers, x64 CPU
- Laptop: plug in, deactivate the sleep mode
Blind Audit Process Overview
- Download the application from: https://www.codewetrust.com/download
- Unzip the downloaded file into a new empty folder
- Ensure that the Docker engine is installed and running
- Scan our small test repo to confirm correct setup: https://github.com/cwt-test
- Export the findings as it is shown on the next slide
- Share it with the Auditor
- If the process fails at any step, please share the file
CodeWeTrust.log(support@codewetrust.com).
Suggestions
- You can initiate the scanning of multiple repositories without waiting for the completion of the current one. The jobs will be queued and executed sequentially.
- If you scan the code from multiple local repositories, consider "subdirectories as repositories" option.
Blind Audit Process Walkthrough (Windows)
Install Docker Engine
Download and install the Docker engine.
Upon completion, you should have the Docker engine icon in the tray. Check the docker health status, the WSL2 mode should be active.
Download and Run C2M
- Download the app from https://www.codewetrust.com/download. Registration is required (no credit card is needed).
- Extract the downloaded zip file into a new folder.
- Run
CodeWeTrust.exefrom a command prompt. - Upon completion, it should look like the screenshot below.
- Please note the folder's' location. For any support request, CodeWeTrust will ask for the
CodeWeTrust.logfile (you can inspect with a text editor before sharing).
Scan Your Code
Users can add a new product to scan by adding the product name and providing a link to the Git repository. History Scan would allow the users to scan the repo along with its change history. Users can also change scan settings.
Multiple repositories can be zipped into one file to scan in one go. Select “Subdirectories as repositories” option in this case.
Export the Findings
After the scan is completed, the user can export the findings by selecting the “BLIND AUDIT” menu button.
A password-protected and encrypted file with .c2m the extension will be exported.
Once the export has been completed, the user will see this popup.
And find the password-protected files downloaded on the PC.
Import the Findings
The user can import files for the blind audit, using the import wizard.
By keying in the password for the password-protected files, uploading, and then importing them.
The “consumer” receives the results file through mail or file sharing and activates the import functionality.
Once the import is completed, the user will see this pop-up, and imported results will be displayed in the dashboard.
