# SAST Scanner Configuration

### SAST Scanner Configuration

The [**SAST Scanner**](/xygeni-products/code-security-cs/ci-cd-scanner.md) is configured in the **YAML file** `conf/xygeni.sast.yml`.

```yaml
# Configuration for xygeni Sast scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/bower_components/**/*"
  - "**/integration/**/*"
  - "**/locales/**/*"
  - "**/node_modules/**/*"
  - "**/.xygeni.*.json"

# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: parallel

# Parallelism specification (when mode=parallel):
# 'auto', 'sequential', a number N, or one of 'availableProcessors + N',
# 'availableProcessors - N', 'availableProcessors * N', 'availableProcessors / N'
# 'auto' means 'availableProcessors - 1', 'sequential' means 1
# 'min(v1, v2)' means the minimum between the two values.
# For example, 'min(availableProcessors - 1, 4)' is 4 if the number of cores is greater than 4, or cores - 1 otherwise.
parallelism: auto
#parallelism: min(availableProcessors - 1, 4)

# Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout.
timeout: 18000

# Timeout, in seconds, for processing a source file. 0 or negative means no timeout.
fileTimeout: 45

# Maximum CCN allowed for units (functions, classes, modules) when performing path navigation
# Increasing this might potentially increase both the accuracy and the execution time, use wisely
# When CCN is higher that this threshold a direct navigation will be performed which take less time
maxAllowedComplexity: 19

# Commit resolution policy. One of: 'always', 'never', 'auto'.
# 'auto' means that commit info is disabled if too many findings are reported. For benchmarking projects, commit resolution can be disabled.
# 'never' means that commit resolution is disabled. No commit info (author, timestamp, commit ID and branch) will be reported.
# 'always' means that commit resolution is enabled unconditionally.
commitResolution: auto

# When set to 'true' the tainting analyzer will only report the first source for every sink.
# When false, all the paths will be analyzed and all the sources reaching a sink will be reported.
reportOnlyFirstPath: false

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: sarif
    prettyPrint: true

  - format: csv

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "kind", "cwe", "detector", "file", "beginLine", "endLine", "tags", "details", "code" ]

    # Order specification. 'default' lists highest severe first, then by language, cwe, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

  - format: text

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "details", "tags", "file", "beginLine" ]

    # Order specification. 'default' lists highest severe first, then by kind, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for detecting code vulnerabilities
# are configured in resource files under sast/*.yml

# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []

```

### SAST Detectors Configuration

Detectors are configured with different YAML files located under the `conf/sast` directory of the [Xygeni scanner](/xygeni-scanner-cli/xygeni-cli-overview.md).

There is a sample `_template.yml_` file that can be used to create your own [custom detectors](/introduction-to-xygeni/customizations.md#custom_detectors).

{% hint style="info" %}
Specify a directory for custom detectors with the `--custom-detectors-dir` command-line option to prevent scanner updates from overwriting your configurations.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/code-security-cs/ci-cd-scanner/ci-cd-misconfigurations-scanner-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.