SAST Scanner

Table of Contents

Purpose

A Static Application Security Testing (SAST) scan is employed to analyze source code for security vulnerabilities at an early stage in the development process.

Quick Start

Use the following command to detect code vulnerabilities in the current directory and upload the results to the Xygeni Platform:

xygeni sast -n MyProject --upload

The SAST scanner can be run in two different ways:

  • Running its own specific command ( xygeni sast [options] )

  • Running the general command ( xygeni scan --run="sast" [options] )

Export code vulnerability with critical severity to CSV for review or to import findings into other tools:

xygeni sast-n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv

Usage

The SAST Scanner is launched using the xygeni sast [options] command.

To view all available options, use the --help flag:

xygeni sast --help

The most important properties are:

  • Name of the Xygeni Project -n or --name.

  • Input source to analyze. Either specify a directory with: -d or --dir or specify a repository using: --repo. The scan will analyze the current working directory when no target is specified.

  • Upload results to the service --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If no output file is specified (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • Specify what detectors to run with the --detectors / --skip-detectors options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

  • The resource kinds to be scanned could also be tailored with the --kinds / --skip-kinds options.

Configuration options:
  -c, --conf=<config>        Configuration filepath template (filename will be prefixed by 'SCAN.')
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=SCAN=list[|SCAN=list...]
                             Detectors to include per stage. <list> is comma-separated of detector IDs, a severity or 'all'.
                             Example: --detectors secrets=high|iac=critical|misconf=all
      --skip-detectors=SCAN=list[|SCAN=list...]
                             Detectors to exclude per stage. <list> is comma-separated list of detector IDs, or a severity.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.

Last updated