# SAST Scanner

## Table of Contents

1. [Purpose](#purpose)
2. [Quick Start](#quick_start)
3. [Usage](#usage)

### Purpose <a href="#purpose" id="purpose"></a>

A **Static Application Security Testing (SAST)** scan is employed to **analyze source code for security vulnerabilities** at an early stage in the development process.

### Quick Start <a href="#quick_start" id="quick_start"></a>

Use the following command to detect code vulnerabilities in the current directory and upload the results to the Xygeni Platform:

```bash
xygeni sast -n MyProject --upload
```

{% hint style="info" %}
The SAST scanner can be run in two different ways:

* Running its own specific command ( `xygeni sast [options]` )
* Running the general command ( `xygeni scan --run="sast" [options]` )
  {% endhint %}

Export code vulnerability with critical severity to CSV for review or to import findings into other tools:

```bash
xygeni sast-n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv
```

### Usage <a href="#usage" id="usage"></a>

The SAST Scanner is launched using the `xygeni sast [options]` command.

To view all available options, use the `--help` flag:

```bash
xygeni sast --help
```

The most important properties are:

* **Name** of the Xygeni Project `-n` or `--name`.
* **Input source** to analyze. Either specify a **directory** with: `-d` or `--dir` or specify a **repository** using: `--repo`. The scan will analyze the current working directory when no target is specified.
* **Upload** results to the service `--upload`. By default, results are not uploaded.
* **Output file** (`-o` or `--output`) and **format** (`-f` or `--format`). If no output file is specified (or stdout / - are used), the standard output is used. Use `--format=none` for no output.
* Specify what detectors to run with the `--detectors` / `--skip-detectors` options. A common use-case is to consider only issues with high or critical severity with `--detectors=high`.
* The *resource kinds* to be scanned could also be tailored with the `--kinds` / `--skip-kinds` options.

```bash
Configuration options:
  -c, --conf=<config>        Configuration filepath template (filename will be prefixed by 'SCAN.')
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=SCAN=list[|SCAN=list...]
                             Detectors to include per stage. <list> is comma-separated of detector IDs, a severity or 'all'.
                             Example: --detectors secrets=high|iac=critical|misconf=all
      --skip-detectors=SCAN=list[|SCAN=list...]
                             Detectors to exclude per stage. <list> is comma-separated list of detector IDs, or a severity.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
```

### Currently Supported Programming Languages and Technologies:

* C#
* Go
* HTML
* Java
* JavaScript
* Kotlin
* PHP
* Python
* Swift