Configure Mend Developer Platform for SAST

Overview

Mend Developer Platform provides various parameters to customize Code Security (SAST) scans, checks, and issue configurations. In this guide, we'll walk you through the process of configuring the developer platform settings, highlighting key differences between workspace and repository configurations along the way.

Getting it done

Setting up the Mend Developer Platform is effortless with our user-friendly interface. Whether configuring settings for your entire workspace or specific repositories, our platform ensures you're always in command.

Configure your workspace or repository settings

Open the workspace you want to configure on the Mend Developer Platform homepage.
Click SETTINGS.

The Mend Developer Platform configuration can be done via the following screens:

The configuration screens in the Mend Developer Platform are the same for both workspace and repository levels. This documentation provides instructions for configuring general settings.

General

The General screen provides a high-level perspective, and you can track and configure the following options:

View the Mend Organization that your Bitbucket Cloud workspace/Azure DevOps project is linked to
Disable repo-level override, which toggles whether users with admin access to a repository can override the configuration set at the workspace level. Workspace admins will still be able to override on the repository level.
Base branches. Mend will consider the values set here as the base branches for the repo when scanning. Spaces and duplicates are not allowed.
For each specified branch, a Mend project will be created in the Mend Platform application. The name of the project will contain the suffix "_branchName". For example, MyApp_dev.

Notes:

Currently, only one branch is allowed to be listed in the baseBranches parameter. Allowing more than one branch name, for example ["master", "integration"], is planned for future release.

Custom work item type (AZDO only) - This parameter specifies the type of work item to be created for all Mend work items. Set this parameter to a string equal to the name of a work item type in your project.
Custom work item fields (AZDO only) - This parameter specifies custom fields to be added to all Mend work items. If a field with a matching name exists in the work item template and the value is a compatible data type, it will be added to the work item. To override a value on repo level create a custom field with the same name.

Notes:

Release Branches do not support SAST scans.
Custom work item types and Custom work item fields are applicable for Azure DevOps only.
If you run SAST scans on a feature branch, the scans are not visible in the scans table of the Mend SAST web application. The results are also not added to trend information or any dashboards with the Mend SAST web application.
The results of the feature branch scan are only for you as a developer to help you to get confidence in your code before you merge it.

Credentials

Credentials are not relevant for SAST scans.

Code Security (SAST)

In this screen menu, you can control if the Mend Code Security (SAST) engine is enabled and if repositories are going to be scanned for Code Security (SAST).

Checks - If enabled, Mend will create Build status for code security scans and provide results in commit comments.
- Conclusion status - Determine when the Code Security Check should report a failure or success status on “New findings” introduced in the commit. The available parameter values are:
  - failure - Code Security Check will fail when the Code Security scan detects “New findings” which are more severe than the severityThreshold.
  - success - Code Security Check will succeed despite any “New findings” returned by the SAST scan.
- Severity threshold - Set the threshold of “New findings” introduced in the commit which would trigger the Conclusion status to return a failed build. The available parameter values are:
  - high - Trigger the threshold when the scan outputs a new finding of severity high or above.
  - medium - Trigger the threshold when the scan outputs a new finding of severity medium or above.
  - low - Trigger the threshold when the scan outputs a new finding of severity low or above.
- Scan pull requests - If enabled, Mend will scan pull requests to base branches in this repository.

Note: If you run SAST scans on a feature branch, the scans are not visible in the scans table of the Mend SAST web application. The results are also not added to trend information or any dashboards with the Mend SAST web application.

The results of the feature branch scan are only for you as a developer to help you to get confidence in your code before you merge it.

Issues - Defines if Mend will create issues for the code findings.

Bitbucket Cloud: For the Issues to be created, the repository should have an Issue Tracker enabled. This is done in the repository settings in Bitbucket Cloud.

Azure DevOps: For the Issues to be created, the repository should have Boards enabled. This is done in the project settings in Azure DevOps Repos.

Scanner
- Incremental scans - Mend will perform a faster scan that only checks files that are affected by the latest code change.
- Snippet size - Size of the source code snippet presented for a finding.

Notes:

The snippet size value also controls the size of the snippets that are stored by Mend for each step of a code security finding. This helps you to review the results outside of the repository, e.g. in the web UI of the Mend App.
To perform incremental scans on feature branches, it’s required to enable “scan Pull Requests”.
When “incrementalScan” is enabled, feature branch scans will always be incremental.
Base branch scans will be incremental as long as there are no changes in the scan engine that are relevant to the scanned project (e.g., Java for Java projects).

Custom configuration - You can manage the custom configuration parameters when running a code scan:

Parameter	Description
engines	Optional. Default Value: Auto-detects language. A comma-separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). The available Engine IDs can be found in our CLI Parameters documentation.
javaEngineGeneration	Optional. Default Value: `1`. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are: `1` - Use Java engine generation 1 `2` - Use Java engine generation 2
jsEngineGeneration	Optional. Default Value: `1`. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are: `1` - Use JavaScript engine generation 1 `2` - Use JavaScript engine generation 2
csharpEngineGeneration	Optional. Default Value: `1`. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are: `1` - Use C# engine generation 1 `2` - Use C# engine generation 2
pathExclusions	Optional. Default Value: `Empty List`. Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths. These paths will be added to the list of default exclusions configured for this project.
maxFileSize	Optional. Default Value: `1024 KB`. Set the maximum file size above which a file will be ignored during the scan.
timeouts: perScan	Optional. Default Value: `480 minutes per scan`. Scan time in minutes for the whole scan, after which the analysis will stop and mark the scan as partially successful.
timeout: perLanguage	Optional. Default Value: `480 minutes per language`. Scan time in minutes per language, after which the analysis will be stop and continue to the next language, if applicable.
timeout: perFile	Optional. Default Value: `60 seconds per file`. Scan time in seconds per individual file, after which the analysis will stop and continue to the next file, if applicable.

Example Custom Configuration File

CODE

{
    "engines": [1, 2, 3],
    "pathExclusions": ["abc", "def"],
    "maxFileSize": 1024,
    "javaEngineGeneration": 2,
    "jsEngineGeneration": 2,
    "csEngineGeneration": 2,
    "timeout": {
        "perScan": 480,
        "perLanguage": 480,
        "perFile": 600
    }
}