SAST Scanner

Table of Contents

1. Purpose

2. Handling Results

3. Quick Start

4. Usage

Purpose

TBD

Quick Start

For detecting code security vulnerabilities with sources in current directory, the command:

xygeni sast -n MyProject --upload

uploads the result to Xygeni platform.

For exporting the most important misconfigurations to CSV for review, or importing the findings into another tool:

xygeni sast-n MyProject --detectors critical \
            --format csv --output MyProject.misconfs.csv

Usage

The SAST Scanner is launched using the xygeni sast [options] command.

For a full reference of all the available option, you can issue :

xygeni sast --help

The most important properties are:

• Name of the project, -n or --name.

• Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.

• Upload results to the service, --upload. By default, results are not uploaded.

• Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

• The detectors to run could be tailored with the --detectors / --skip-detectors options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

Configuration options:
  -c, --conf=<config>        Configuration filepath template (filename will be prefixed by 'SCAN.')
      --[no-]conf-download   Download scanner config? (default: true}
      --detectors=SCAN=list[|SCAN=list...]
                             Detectors to include per stage. <list> is comma-separated of detector IDs, a severity or 'all'.
                             Example: --detectors secrets=high|iac=critical|misconf=all
      --skip-detectors=SCAN=list[|SCAN=list...]
                             Detectors to exclude per stage. <list> is comma-separated list of detector IDs, or a severity.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.