# SAST Scanner

## Table of Contents

1. [Purpose](#purpose)
2. [Quick Start](#quick_start)
3. [Usage](#usage)

### Purpose <a href="#purpose" id="purpose"></a>

A **Static Application Security Testing (SAST)** scan is employed to **analyze source code for security vulnerabilities** at an early stage in the development process.

### Quick Start <a href="#quick_start" id="quick_start"></a>

Use the following command to detect code vulnerabilities in the current directory and upload the results to the Xygeni Platform:

```bash
xygeni sast -n MyProject --upload
```

{% hint style="info" %}
The SAST scanner can be run in two different ways:

* Running its own specific command ( `xygeni sast [options]` )
* Running the general command ( `xygeni scan --run="sast" [options]` )
  {% endhint %}

Export code vulnerability with critical severity to CSV for review or to import findings into other tools:

```bash
xygeni sast-n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv
```

### Usage <a href="#usage" id="usage"></a>

The SAST Scanner is launched using the `xygeni sast [options]` command.

To view all available options, use the `--help` flag:

```bash
xygeni sast --help
```

The most important properties are:

* **Name** of the Xygeni Project `-n` or `--name`.
* **Input source** to analyze. Either specify a **directory** with: `-d` or `--dir` or specify a **repository** using: `--repo`. The scan will analyze the current working directory when no target is specified.
* **Upload** results to the service `--upload`. By default, results are not uploaded.
* **Output file** (`-o` or `--output`) and **format** (`-f` or `--format`). If no output file is specified (or stdout / - are used), the standard output is used. Use `--format=none` for no output.
* Specify what detectors to run with the `--detectors` / `--skip-detectors` options. A common use-case is to consider only issues with high or critical severity with `--detectors=high`.
* The *resource kinds* to be scanned could also be tailored with the `--kinds` / `--skip-kinds` options.

```bash
Configuration options:
  -c, --conf=<config>        Configuration filepath template (filename will be prefixed by 'SCAN.')
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=SCAN=list[|SCAN=list...]
                             Detectors to include per stage. <list> is comma-separated of detector IDs, a severity or 'all'.
                             Example: --detectors secrets=high|iac=critical|misconf=all
      --skip-detectors=SCAN=list[|SCAN=list...]
                             Detectors to exclude per stage. <list> is comma-separated list of detector IDs, or a severity.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
```

### Currently Supported Programming Languages and Technologies:

* C#
* Go
* HTML
* Java
* JavaScript
* Kotlin
* PHP
* Python
* Swift


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/code-security-cs/ci-cd-scanner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.