SAST Scanner Configuration
Last updated
Last updated
The is configured in the YAML file conf/xygeni.sast.yml
.
# Configuration for xygeni Sast scanner.
# Arguments from command line have priority over properties in this file.
# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []
# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
- ".git/**/*"
- ".vscode/**/*"
- "build/**/*"
- "dev/**/*"
- "**/__pycache__/**/*"
- "**/.eggs/**/*"
- "**/bower_components/**/*"
- "**/integration/**/*"
- "**/locales/**/*"
- "**/node_modules/**/*"
- "**/.xygeni.*.json"
# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: parallel
# Parallelism specification (when mode=parallel):
# 'auto', 'sequential', a number N, or one of 'availableProcessors + N',
# 'availableProcessors - N', 'availableProcessors * N', 'availableProcessors / N'
# 'auto' means 'availableProcessors - 1', 'sequential' means 1
# 'min(v1, v2)' means the minimum between the two values.
# For example, 'min(availableProcessors - 1, 4)' is 4 if the number of cores is greater than 4, or cores - 1 otherwise.
parallelism: auto
#parallelism: min(availableProcessors - 1, 4)
# Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout.
timeout: 1200
# Timeout, in seconds, for parsing a file. 0 or negative means no timeout.
parsingTimeout: 20
# Maximum CCN allowed for units (functions, classes, modules) when performing path navigation
# Increasing this might potentially increase both the accuracy and the execution time, use wisely
# When CCN is higher that this threshold a direct navigation will be performed which take less time
maxAllowedComplexity: 19
# Commit resolution policy. One of: 'always', 'never', 'auto'.
# 'auto' means that commit info is disabled if too many findings are reported. For benchmarking projects, commit resolution can be disabled.
# 'never' means that commit resolution is disabled. No commit info (author, timestamp, commit ID and branch) will be reported.
# 'always' means that commit resolution is enabled unconditionally.
commitResolution: auto
# When set to 'true' the tainting analyzer will only report the first source for every sink.
# When false, all the paths will be analyzed and all the sources reaching a sink will be reported.
reportOnlyFirstPath: false
# Config for reporters
report:
- format: json
prettyPrint: true
- format: sarif
prettyPrint: true
- format: csv
# Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
columns: [ "severity", "kind", "cwe", "detector", "file", "beginLine", "endLine", "tags", "details", "code" ]
# Order specification. 'default' lists highest severe first, then by language, cwe, file and line.
# One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
sort: default
- format: text
# Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
columns: [ "severity", "details", "tags", "file", "beginLine" ]
# Order specification. 'default' lists highest severe first, then by kind, file and line.
# One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
sort: default
# The style for table borders.
# One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
# Use 'default' for border that works well for the underlying OS.
borders: full
# The block characters to use: 'ascii' (use '+', '|', '-' and '=')
# or 'utf8' for UTF-8 block characters.
# Use 'default' for the encoding that works best for the underlying OS.
bordersEncoding: utf8
# The detectors to use for detecting code vulnerabilities
# are configured in resource files under sast/*.yml
# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []
# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []
Specify a directory for custom detectors with the --custom-detectors-dir
command-line option to prevent scanner updates from overwriting your configurations.
Detectors are configured with different YAML files located under the conf/sast
directory of the .
There is a sample _template.yml_
file that can be used to create your own .