SAST Scanner Configuration

The is configured in the YAML file conf/xygeni.sast.yml.

# Configuration for xygeni Sast scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/bower_components/**/*"
  - "**/integration/**/*"
  - "**/locales/**/*"
  - "**/node_modules/**/*"
  - "**/.xygeni.*.json"

# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: parallel

# Parallelism specification (when mode=parallel):
# 'auto', 'sequential', a number N, or one of 'availableProcessors + N',
# 'availableProcessors - N', 'availableProcessors * N', 'availableProcessors / N'
# 'auto' means 'availableProcessors - 1', 'sequential' means 1
# 'min(v1, v2)' means the minimum between the two values.
# For example, 'min(availableProcessors - 1, 4)' is 4 if the number of cores is greater than 4, or cores - 1 otherwise.
parallelism: auto
#parallelism: min(availableProcessors - 1, 4)

# Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout.
timeout: 1200

# Timeout, in seconds, for parsing a file. 0 or negative means no timeout.
parsingTimeout: 20

# Maximum CCN allowed for units (functions, classes, modules) when performing path navigation
# Increasing this might potentially increase both the accuracy and the execution time, use wisely
# When CCN is higher that this threshold a direct navigation will be performed which take less time
maxAllowedComplexity: 19

# Commit resolution policy. One of: 'always', 'never', 'auto'.
# 'auto' means that commit info is disabled if too many findings are reported. For benchmarking projects, commit resolution can be disabled.
# 'never' means that commit resolution is disabled. No commit info (author, timestamp, commit ID and branch) will be reported.
# 'always' means that commit resolution is enabled unconditionally.
commitResolution: auto

# When set to 'true' the tainting analyzer will only report the first source for every sink.
# When false, all the paths will be analyzed and all the sources reaching a sink will be reported.
reportOnlyFirstPath: false

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: sarif
    prettyPrint: true

  - format: csv

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "kind", "cwe", "detector", "file", "beginLine", "endLine", "tags", "details", "code" ]

    # Order specification. 'default' lists highest severe first, then by language, cwe, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

  - format: text

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "details", "tags", "file", "beginLine" ]

    # Order specification. 'default' lists highest severe first, then by kind, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for detecting code vulnerabilities
# are configured in resource files under sast/*.yml

# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []

SAST Detectors Configuration

Specify a directory for custom detectors with the --custom-detectors-dir command-line option to prevent scanner updates from overwriting your configurations.

PreviousSAST Scanner NextOpen Source (SCA)

Last updated 1 month ago

# Configuration for xygeni Sast scanner. # Arguments from command line have priority over properties in this file. # Includes: list of glob patterns to include in analysis. # # A pattern could use ** (to match zero or more directories), * (zero or more characters # in a directory or file name), and ? (one character). # Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory. # # If empty, ALL files will be matched. # The command-line argument -i or --include will be used when specified. # # A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'. includes: [] # Excludes: list of glob patterns to exclude from analysis. # If empty, NO file will be excluded. # The command-line argument -e or --exclude will be used when specified. excludes: - ".git/**/*" - ".vscode/**/*" - "build/**/*" - "dev/**/*" - "**/__pycache__/**/*" - "**/.eggs/**/*" - "**/bower_components/**/*" - "**/integration/**/*" - "**/locales/**/*" - "**/node_modules/**/*" - "**/.xygeni.*.json" # mode=sequential runs analyzers sequentially; # mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs. mode: parallel # Parallelism specification (when mode=parallel): # 'auto', 'sequential', a number N, or one of 'availableProcessors + N', # 'availableProcessors - N', 'availableProcessors * N', 'availableProcessors / N' # 'auto' means 'availableProcessors - 1', 'sequential' means 1 # 'min(v1, v2)' means the minimum between the two values. # For example, 'min(availableProcessors - 1, 4)' is 4 if the number of cores is greater than 4, or cores - 1 otherwise. parallelism: auto #parallelism: min(availableProcessors - 1, 4) # Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout. timeout: 1200 # Timeout, in seconds, for parsing a file. 0 or negative means no timeout. parsingTimeout: 20 # Maximum CCN allowed for units (functions, classes, modules) when performing path navigation # Increasing this might potentially increase both the accuracy and the execution time, use wisely # When CCN is higher that this threshold a direct navigation will be performed which take less time maxAllowedComplexity: 19 # Commit resolution policy. One of: 'always', 'never', 'auto'. # 'auto' means that commit info is disabled if too many findings are reported. For benchmarking projects, commit resolution can be disabled. # 'never' means that commit resolution is disabled. No commit info (author, timestamp, commit ID and branch) will be reported. # 'always' means that commit resolution is enabled unconditionally. commitResolution: auto # When set to 'true' the tainting analyzer will only report the first source for every sink. # When false, all the paths will be analyzed and all the sources reaching a sink will be reported. reportOnlyFirstPath: false # Config for reporters report: - format: json prettyPrint: true - format: sarif prettyPrint: true - format: csv # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags columns: [ "severity", "kind", "cwe", "detector", "file", "beginLine", "endLine", "tags", "details", "code" ] # Order specification. 'default' lists highest severe first, then by language, cwe, file and line. # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort sort: default - format: text # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags columns: [ "severity", "details", "tags", "file", "beginLine" ] # Order specification. 'default' lists highest severe first, then by kind, file and line. # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort sort: default # The style for table borders. # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'. # Use 'default' for border that works well for the underlying OS. borders: full # The block characters to use: 'ascii' (use '+', '|', '-' and '=') # or 'utf8' for UTF-8 block characters. # Use 'default' for the encoding that works best for the underlying OS. bordersEncoding: utf8 # The detectors to use for detecting code vulnerabilities # are configured in resource files under sast/*.yml # List of detectors to run: IDs or severity. # runDetectors: ['high'] will run all detectors with severity 'high' or greater. # runDetectors: ['hidden_file_extension'] will run these. # Leave empty for no restriction (all detectors not disabled will be chosen). # Command-line property --detectors overrides this. runDetectors: [] # Same format as runDetectors, but for skipping the selected detectors. # skipDetectors: ['high'] will skip all detectors with severity 'high' or lower. # Leave empty for no restriction (all detectors not disabled will be chosen). # Command-line property --skip-detectors overrides this. skipDetectors: []