SAST Scanner Configuration

SAST Scanner Configuration

The SAST Scanner is configured in the YAML file conf/xygeni.sast.yml.

# Configuration for xygeni Sast scanner.
# Arguments from command line have priority over properties in this file.

# Includes: list of glob patterns to include in analysis.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.txt matches all files with 'txt' extension. **/test/** matches all files under any test directory.
#
# If empty, ALL files will be matched.
# The command-line argument -i or --include will be used when specified.
#
# A file is analyzed when matched by 'includes' AND NOT matched by 'excludes'.
includes: []

# Excludes: list of glob patterns to exclude from analysis.
# If empty, NO file will be excluded.
# The command-line argument -e or --exclude will be used when specified.
excludes:
  - ".git/**/*"
  - ".vscode/**/*"
  - "build/**/*"
  - "dev/**/*"
  - "**/__pycache__/**/*"
  - "**/.eggs/**/*"
  - "**/bower_components/**/*"
  - "**/integration/**/*"
  - "**/locales/**/*"
  - "**/node_modules/**/*"
  - "**/.xygeni.*.json"

# mode=sequential runs analyzers sequentially;
# mode=parallel runs analyzers in multiple threads, when analyzer is capable of parallel runs.
mode: parallel

# Parallelism specification (when mode=parallel):
# 'auto', 'sequential', a number N, or one of 'availableProcessors + N',
# 'availableProcessors - N', 'availableProcessors * N', 'availableProcessors / N'
# 'auto' means 'availableProcessors - 1', 'sequential' means 1
# 'min(v1, v2)' means the minimum between the two values.
# For example, 'min(availableProcessors - 1, 4)' is 4 if the number of cores is greater than 4, or cores - 1 otherwise.
parallelism: auto
#parallelism: min(availableProcessors - 1, 4)

# Timeout, in seconds, for the analysis to complete. 0 or negative means no timeout.
timeout: 1200

# Timeout, in seconds, for parsing a file. 0 or negative means no timeout.
parsingTimeout: 20

# Maximum CCN allowed for units (functions, classes, modules) when performing path navigation
# Increasing this might potentially increase both the accuracy and the execution time, use wisely
# When CCN is higher that this threshold a direct navigation will be performed which take less time
maxAllowedComplexity: 19

# Commit resolution policy. One of: 'always', 'never', 'auto'.
# 'auto' means that commit info is disabled if too many findings are reported. For benchmarking projects, commit resolution can be disabled.
# 'never' means that commit resolution is disabled. No commit info (author, timestamp, commit ID and branch) will be reported.
# 'always' means that commit resolution is enabled unconditionally.
commitResolution: auto

# When set to 'true' the tainting analyzer will only report the first source for every sink.
# When false, all the paths will be analyzed and all the sources reaching a sink will be reported.
reportOnlyFirstPath: false

# Config for reporters
report:
  - format: json
    prettyPrint: true

  - format: sarif
    prettyPrint: true

  - format: csv

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "kind", "cwe", "detector", "file", "beginLine", "endLine", "tags", "details", "code" ]

    # Order specification. 'default' lists highest severe first, then by language, cwe, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

  - format: text

    # Allowed values: severity, kind, detector, file, beginLine, endLine, details, code, commit, user, exposure, tags
    columns: [ "severity", "details", "tags", "file", "beginLine" ]

    # Order specification. 'default' lists highest severe first, then by kind, file and line.
    # One of 'default', 'language_cwe', 'detector', 'exposure' or 'newest'. Blank for no sort
    sort: default

    # The style for table borders.
    # One of 'full', 'none', 'outside', 'inside', 'horizontal', 'vertical', 'topbottom'.
    # Use 'default' for border that works well for the underlying OS.
    borders: full

    # The block characters to use: 'ascii' (use '+', '|', '-' and '=')
    # or 'utf8' for UTF-8 block characters.
    # Use 'default' for the encoding that works best for the underlying OS.
    bordersEncoding: utf8

# The detectors to use for detecting code vulnerabilities
# are configured in resource files under sast/*.yml

# List of detectors to run: IDs or severity.
# runDetectors: ['high'] will run all detectors with severity 'high' or greater.
# runDetectors: ['hidden_file_extension'] will run these.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --detectors overrides this.
runDetectors: []

# Same format as runDetectors, but for skipping the selected detectors.
# skipDetectors: ['high'] will skip all detectors with severity 'high' or lower.
# Leave empty for no restriction (all detectors not disabled will be chosen).
# Command-line property --skip-detectors overrides this.
skipDetectors: []

SAST Detectors Configuration

Detectors are configured with different YAML files located under the conf/sast directory of the Xygeni scanner.

There is a sample _template.yml_ file that can be used to create your own custom detectors.

Specify a directory for custom detectors with the --custom-detectors-dir command-line option to prevent scanner updates from overwriting your configurations.

Last updated