CAST Highlight is a SaaS software intelligence platform for portfolio-level analysis of application modernization, cloud migration, and open-source risk. It scans hundreds of applications across 60+ technologies within days, combining automated code inspection with business context surveys.
With the Black Duck 2026 OSSRA report now in its eleventh consecutive edition — a post-Synopsys rebrand of the same research series — portfolio-level visibility into software composition has become a board-level concern.
Unlike pure SCA tools that focus on vulnerability detection, CAST Highlight assesses applications across multiple dimensions: cloud readiness, software composition risks, technical debt, and business value alignment. It is designed for organizations managing large application portfolios making decisions about modernization, migration, and retirement.
What is CAST Highlight?
CAST Highlight scans source code to inventory open-source components, map vulnerabilities, identify cloud blockers, and measure technical debt. It pairs this with business context questionnaires to give a complete picture that technical metrics alone cannot provide.
Key features
Supported technologies
| Category | Technologies |
|---|---|
| Enterprise | Java, C#, COBOL, ABAP, PL/SQL, RPG |
| Web | JavaScript, TypeScript, PHP, Ruby, Python |
| Systems | C, C++, Go, Rust |
| Mobile | Swift, Kotlin, Objective-C |
| Data | SQL, R, MATLAB |
| Other | Scala, Perl, Shell, PowerShell |
| Total | 60+ technologies with automatic detection |
SBOM export formats
| Format | Output type |
|---|---|
| CycloneDX | Standard machine-readable SBOM |
| SPDX | ISO-standard SBOM format |
| Excel | Spreadsheet for portfolio analysis |
| Word | Document for stakeholder reports |
| PowerPoint | Presentation-ready summaries |
| XML | Machine-readable export |
Portfolio-scale analysis
Scan hundreds of applications in days. Automatic technology detection across 60+ languages with consistent scoring methodology.
Executive dashboards show comparative analysis and trend tracking over time.
Software composition analysis
Component inventory with version tracking, CVE vulnerability mapping, license compliance identification, risk scoring, obsolescence detection, and SBOM generation in standard formats.
Cloud readiness assessment
Identifies cloud blockers (stateful components, filesystem dependencies), provides platform-specific recommendations (AWS, Azure, GCP), scores containerization readiness, and estimates refactoring effort.
Technical debt analysis
Measures code complexity, maintainability scoring, dead code detection, architectural anti-pattern identification, and remediation effort estimation.
Dependency scanning and supported languages
CAST Highlight runs dependency scanning as part of its SCA Insights module. The Code Reader parses package manifests and source across 25+ languages and frameworks — Java, C#, JavaScript, TypeScript, Python, PHP, Ruby, Go, C/C++, Swift, Kotlin, Scala, plus enterprise stacks like COBOL, ABAP, PL/SQL, and RPG. Each scan classifies components, maps vulnerabilities, and records license information for every direct dependency in the manifest.
Scan depth vs CAST Imaging
CAST Highlight’s strength is portfolio-scale throughput — hundreds of applications in days — not deep architectural introspection. Teams that need call-graph-level analysis of a single application typically run CAST Imaging alongside Highlight; Highlight is the portfolio lens, Imaging is the code-understanding microscope.
Transitive dependencies and malicious package detection
CAST Highlight surfaces transitive dependencies through the Code Reader’s OSS Dependency Map. Direct components in the manifest are expanded into their downstream libraries, and each transitive node inherits its own CVE and license metadata. Transitive depth is controlled by scan configuration — the default scan has to be explicitly tuned to include the full transitive graph.
On malicious-package detection, CAST Highlight is honest about its lane: it is built for portfolio-level intelligence and open-source risk posture rather than real-time supply-chain attack detection. Typosquat and maintainer-compromise flags are not the product’s focus. Teams that need active supply-chain-attack catchup typically pair CAST Highlight with a runtime-focused SCA such as Socket or Snyk Open Source for npm-and-PyPI malicious-package coverage.
Installation and Setup
Agent-Based Scanning
CAST Highlight uses a lightweight agent to analyze source code:
# Download HighlightAutomation from the CAST Highlight portal
# (requires authentication — URL is provided after login)
unzip HighlightAutomation.zip
# Run a scan
java -jar HighlightAutomation.jar \
--workingDir /path/to/source \
--applicationName "my-application" \
--companyId YOUR_COMPANY_ID \
--serverUrl https://rpa.casthighlight.com
Command-Line Interface
The Java-based CLI (HighlightAutomation.jar) supports automation and CI/CD integration:
# Run a scan from the command line
java -jar HighlightAutomation.jar \
--apiKey YOUR_API_KEY \
--companyId YOUR_COMPANY_ID \
--applicationName "my-application" \
--sourceDir ./src \
--upload
# Run with a properties file for reusable configuration
java -jar HighlightAutomation.jar -config highlight.properties
Chrome Extension
The CAST Highlight Chrome extension enables on-demand scanning while browsing repositories:
- Install the extension from the Chrome Web Store
- Navigate to a GitHub, GitLab, or Bitbucket repository
- Click the CAST Highlight icon in your browser toolbar
- View immediate security and risk analysis
- Export findings or add to your portfolio
Integration
GitHub Actions
name: CAST Highlight Analysis
on:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0' # Weekly Sunday midnight
jobs:
highlight-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Download CAST Highlight Agent
run: |
# Download from the CAST Highlight portal (requires authentication)
# See: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/
curl -O https://rpa.casthighlight.com/api/agents/HighlightAutomation.zip
unzip HighlightAutomation.zip
- name: Run CAST Highlight Scan
env:
HIGHLIGHT_API_KEY: ${{ secrets.CAST_HIGHLIGHT_API_KEY }}
HIGHLIGHT_COMPANY_ID: ${{ secrets.CAST_HIGHLIGHT_COMPANY_ID }}
run: |
java -jar HighlightAutomation.jar \
--apiKey $HIGHLIGHT_API_KEY \
--companyId $HIGHLIGHT_COMPANY_ID \
--applicationName "${{ github.repository }}" \
--sourceDir . \
--upload
- name: Generate SBOM
run: |
java -jar HighlightAutomation.jar sbom \
--apiKey ${{ secrets.CAST_HIGHLIGHT_API_KEY }} \
--applicationName "${{ github.repository }}" \
--format cyclonedx \
--output sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
GitLab CI
stages:
- analyze
cast-highlight:
stage: analyze
image: openjdk:17-slim
variables:
HIGHLIGHT_API_KEY: $CAST_HIGHLIGHT_API_KEY
HIGHLIGHT_COMPANY_ID: $CAST_HIGHLIGHT_COMPANY_ID
script:
- apt-get update && apt-get install -y curl unzip
# Download from the CAST Highlight portal (requires authentication)
# See: https://doc.casthighlight.com/product-tutorials-third-party-tools/automated-code-scan-command-line/
- curl -O https://rpa.casthighlight.com/api/agents/HighlightAutomation.zip
- unzip HighlightAutomation.zip
- |
java -jar HighlightAutomation.jar \
--apiKey $HIGHLIGHT_API_KEY \
--companyId $HIGHLIGHT_COMPANY_ID \
--applicationName $CI_PROJECT_NAME \
--sourceDir . \
--upload
- |
java -jar HighlightAutomation.jar sbom \
--apiKey $HIGHLIGHT_API_KEY \
--applicationName $CI_PROJECT_NAME \
--format spdx \
--output sbom-spdx.json
artifacts:
paths:
- sbom-spdx.json
expire_in: 90 days
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE == "schedule"
REST API Integration
CAST Highlight exposes a REST API at rpa.casthighlight.com/WS2/ using Basic authentication:
# Get applications in a domain
curl -X GET "https://rpa.casthighlight.com/WS2/domains/{domainId}/applications/" \
-H "Authorization: Basic $(echo -n 'user:password' | base64)"
# Get application details
curl -X GET "https://rpa.casthighlight.com/WS2/domains/{domainId}/applications/{appId}" \
-H "Authorization: Basic $(echo -n 'user:password' | base64)"
# Get third-party components for an application
curl -X GET "https://rpa.casthighlight.com/WS2/domains/{domainId}/applications/{appId}/thirdparty" \
-H "Authorization: Basic $(echo -n 'user:password' | base64)"
Setup
When to use CAST Highlight
CAST Highlight is the right choice for organizations managing large application portfolios that need strategic decision support alongside SCA capabilities.
Strengths:
- Portfolio-level visibility across hundreds of applications
- Cloud readiness assessment with migration planning
- 60+ technology support including COBOL and ABAP
- SBOM export in 6+ formats (CycloneDX, SPDX, Excel, Word, PPT, XML)
- Chrome extension for quick repository scanning
Limitations:
- Not designed for real-time CI/CD build blocking
- SCA capabilities lighter than dedicated tools
- Better for strategic analysis than daily vulnerability management
- Commercial only
How it compares:
| vs. | Key difference |
|---|---|
| Black Duck | Black Duck has deeper SCA and license compliance. CAST Highlight adds cloud readiness, technical debt, and portfolio-level strategic analysis. |
| Snyk Open Source | Snyk is a developer-first CI/CD scanner. CAST Highlight is a portfolio analysis platform. Complementary tools for different use cases. |
Further reading: What is SCA? | What is SBOM?
CAST Highlight pricing
CAST Highlight is a SaaS subscription, licensed by application-portfolio size and edition rather than per-user. The castsoftware.com/highlight/pricing page lists four editions — Complete, Cloud Insights, SCA Insights, and Green Insights — scaled across portfolio-size tiers (up to 25, 100, 250, 500, and 1,000 applications).
Only one specific number is published publicly: single-application subscriptions are listed at roughly $6,800 per named application per year, with concierge services stripped out. Anything larger than a single application is quoted through sales. Annual renewal is automatic with a 60-day cancellation notice.
The edition names map to what the scan covers: Complete includes Core, Cloud Insights, SCA Insights, Green Insights, SBOM Manager, and AI Advisor; the narrower editions peel those modules off to fit a specific portfolio question (cloud migration, OSS risk only, resource efficiency). There is no permanent free tier — CAST offers a 14-day risk-free trial instead.
Re-check the pricing page before budgeting — CAST adjusts edition bundles between releases.
CAST Highlight alternatives
CAST Highlight sits in a thin competitive slice — portfolio-level analysis plus lightweight SCA. The closest alternatives each replace a subset of what it covers.
Snyk Open Source
Snyk Open Source is the developer-grade CI/CD SCA that most teams pair with CAST Highlight rather than compare head-to-head. Snyk wins when the primary need is day-to-day vulnerability remediation inside pipelines; CAST Highlight wins when the need is a portfolio-wide view across dozens of applications and stakeholder-ready SBOM exports.
Black Duck
Black Duck is the classic enterprise SCA with deeper license-compliance tooling and broader binary-analysis support. Black Duck fits when legal and compliance depth is the core requirement; CAST Highlight fits when cloud-readiness and technical-debt framing sit alongside the SCA layer.
Mend SCA
Mend SCA pairs SCA with Renovate-powered dependency-update automation. Mend is the right pick when the need is continuous remediation PRs across a polyglot portfolio; CAST Highlight doesn’t ship update automation and instead frames findings as portfolio-risk rollups for planning.
Sonatype Lifecycle
Sonatype Lifecycle is a policy-heavy SCA centered on artifact-repository enforcement (Nexus Repository). Sonatype is the right pick when the control point is the artifact pipeline; CAST Highlight is a different layer — strategic portfolio analysis rather than build-time policy gating.
For broader context, see the SCA tools overview and open-source SCA tools.
CAST Highlight FAQ
What best describes CAST Highlight?
CAST Highlight is a SaaS software intelligence platform for portfolio-level analysis — cloud readiness, technical debt, open-source risk, and SBOM export across hundreds of applications in days. It is not a developer-pipeline SCA scanner; it is the portfolio lens that executives, architects, and procurement use on top of pipeline-level tools.
What languages does the Code Reader support?
The Code Reader parses 25+ languages and frameworks, including Java, C#, JavaScript, TypeScript, Python, PHP, Ruby, Go, C/C++, Swift, Kotlin, Scala, COBOL, ABAP, PL/SQL, and RPG. The supported-technologies table on this page lists the groupings CAST Highlight uses internally.
Can CAST Highlight replace a traditional SCA tool like Snyk?
No — and the vendor doesn’t position it that way. CAST Highlight’s SCA Insights module covers inventory, CVE mapping, license signals, and SBOM export at the portfolio level. Teams that need day-to-day, developer-facing vulnerability management typically keep Snyk Open Source or a similar pipeline tool and use CAST Highlight for cross-portfolio risk rollups.
Is CAST Highlight SaaS or on-prem?
CAST Highlight is SaaS. The Code Reader / HighlightAutomation CLI runs locally to analyze source, but scan results upload to CAST’s SaaS platform for dashboards, portfolio rollups, and SBOM export. There is no advertised on-prem deployment of the analysis platform itself.
How long does a portfolio scan take?
Vendor marketing frames it as “hundreds of applications in days.” Actual wall time depends on portfolio size, codebase sizes, and how much transitive depth you enable in scan configuration; single-application scans typically finish within minutes once the Code Reader is tuned.
