Configure Mend for GitHub.com for SAST
Overview
Mend for GitHub.com offers several parameters to configure your SAST scans and GitHub checks.
Getting It Done
Repository Configuration
Configuration at the local repository level is done via the .whitesource file. To configure your repository settings (i.e. branches, check runs, etc) for SAST scans, see the Repository Parameters section provided in this documentation. Below is an example of fine-tuning a repository’s .whitesource file:
{
"scanSettingsSAST": {
"enableScan": true,
"scanPullRequests": true,
"incrementalScan": false,
"baseBranches": ["integration"]
},
"checkRunSettingsSAST": {
"checkRunConclusionLevel": "failure",
"severityThreshold": "high"
},
"issueSettingsSAST": {
"issueType": "repo",
"minSeverityLevel": "high"
}
}
Note: For global configuration, parameters are set via the repo-config.json file. See our Set up global configuration for Mend for GitHub.com documentation for more information.
Scan Configuration
Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is possible via the .mendsastcli-config.json file. The available implementation options for this file are:
Include the .mendsastcli-config.json file in the root of your integrated repository.
If the .mendsastcli-config.json file exists and is changed on a valid feature branch (i.e. with a PR to the base branch), the configuration will still come from the base branch.
Include the .mendsastcli-config.json file at the location declared in the scanSettingsSAST.configExternalURL parameter in your .whitesource file.
If the .mendsastcli-config.json does not exist, the Mend SAST scan will run with our default configuration on your integrated repository.
The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file. For more information on the supported scan parameters for the .mendsastcli-config.json file, see the Scan Parameters section provided in this documentation.
Reference
Repository Parameters
Scan Settings (scanSettingsSAST
)
Parameter | Type | Description |
---|---|---|
enableScan | Boolean | Optional. Default Value:
|
baseBranches | Array | Optional. Default Value: Example usage:
CODE
This will set the Note: Currently, only one branch is allowed to be listed in the baseBranches parameter. Allowing more than one branch name, for example |
scanPullRequests | Boolean | Optional. Default Value:
Note: If you run SAST scans on a feature branch, the scans are not visible in the scans table of the Mend SAST web application. The results are also not added to trend information or any dashboards with the Mend SAST web application. The results of the feature branch scan are only for you as a developer to help you to get confidence in your code before you merge it. |
incrementalScan | Boolean | Optional. Default Value: Note: To perform incremental scans on feature branches, it’s required to set scanPullRequests to |
snippetSize | Integer | Optional. Default Value: |
configExternalURL | String | Optional. Default Value: N/A. The URL where the external .mendsastcli-config.json file is hosted. The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file. The following protocols are supported: ' For example: ' Note:
|
Check Run Settings for SAST (checkRunSettingsSAST
)
Parameter | Type | Description |
---|---|---|
checkRunConclusionLevel | String | Optional. Default Value:
|
severityThreshold | String | Optional. Default Value:
|
Issue Settings for SAST (issueSettingsSAST
)
Parameter | Type | Description |
---|---|---|
issueType | String | Optional. Default Value:
|
minSeverityLevel | String | Optional. Default Value:
|
Check Run Settings (checkRunSettings
)
Parameter | Type | Description |
---|---|---|
useMendCheckNames | Boolean | Optional. Default Value:
Note: When a .whitesource file is created, the value of useMendCheckNames is |
Scan Parameters
The following SAST CLI parameters are supported in the .mendsastcli-config.json file:
Parameter | Description |
---|---|
engines | Optional. Default Value: Auto-detects language. A comma-separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). The available Engine IDs can be found in our CLI Parameters documentation. |
javaEngineGeneration | Optional. Default Value:
|
jsEngineGeneration | Optional. Default Value:
|
csharpEngineGeneration | Optional. Default Value:
|
pythonEngineGeneration | Optional. Default Value:
|
template | Optional. Default Value: Engine default configuration. Specifies the scan configuration template created in the web UI |
pathExclusions | Optional. Default Value: |
noDefaultExclusions | Optional. Default Value:
|
maxFileSize | Optional. Default Value: |
timeouts: perScan | Optional. Default Value: |
timeout: perLanguage | Optional. Default Value: |
timeout: perFile | Optional. Default Value: |
Example Custom Configuration File
{
"scans": {
"engines": [],
"pathExclusions": [],
"javaEngineGeneration": 2,
"csharpEngineGeneration": 2,
"jsEngineGeneration": 2,
"maxFileSize": 1024,
"timeouts": {
"perFile": 600,
"perLanguage": 480,
"perScan": 480
}
}
}
Languages
For more information on the languages and frameworks supported by Mend SAST, visit our Supported Languages and Frameworks documentation.
Supported Dependency Files