Configure Mend for GitHub Enterprise for SAST
Overview
Mend for GitHub Enterprise offers several parameters to configure your SAST scans and GitHub checks.
Getting It Done
Mend for GitHub Enterprise SAST repository configuration
Configuration at the local repository level is done via the .whitesource file. To configure your repository settings (i.e. branches, check runs, etc) for SAST scans, see the Repository Parameters section provided in this documentation. Below is an example of fine-tuning a repository’s .whitesource file:
{
"scanSettingsSAST": {
"enableScan": true,
"scanPullRequests": true,
"incrementalScan": false,
"baseBranches": ["integration"]
},
"checkRunSettingsSAST": {
"checkRunConclusionLevel": "failure",
"severityThreshold": "high"
},
"issueSettingsSAST": {
"issueType": "repo",
"minSeverityLevel": "high"
}
}
Note: For global configuration, parameters are set via the repo-config.json file. See our Set up global configuration for Mend for GitHub Enterprise documentation for more information.
Mend for GitHub Enterprise SAST scan configuration
Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is possible via the .mendsastcli-config.json file. The available implementation options for this file are:
Include the .mendsastcli-config.json file in the root of your integrated repository.
If the .mendsastcli-config.json file exists and is changed on a valid feature branch (i.e. with a PR to the base branch), the configuration will still come from the base branch.
Include the .mendsastcli-config.json file at the location declared in the scanSettingsSAST.configExternalURL parameter in your .whitesource file.
If the .mendsastcli-config.json does not exist, the Mend SAST scan will run with our default configuration on your integrated repository.
The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file. For more information on the supported scan parameters for the .mendsastcli-config.json file, see the Scan Parameters section provided in this documentation.
Reference
Mend for GitHub Enterprise SAST repository parameters
Scan Settings (scanSettingsSAST
)
Parameter | Type | Description |
---|---|---|
enableScan | Boolean | Optional. Default Value:
|
baseBranches | Array | Optional. Default Value: Example usage:
CODE
This will set the Note: Currently, only one branch is allowed to be listed in the baseBranches parameter. Allowing more than one branch name, for example |
scanPullRequests | Boolean | Optional. Default Value:
Note: If you run SAST scans on a feature branch, the scans are not visible in the scans table of the Mend SAST web application. The results are also not added to trend information or any dashboards with the Mend SAST web application. The results of the feature branch scan are only for you as a developer to help you to get confidence in your code before you merge it. |
incrementalScan | Boolean | Optional. Default Value: Note: Incremental scans are only performed on feature branches, requiring scanPullRequests be set to |
snippetSize | Integer | Optional. Default Value: |
configExternalURL | String | Optional. Default Value: N/A. The URL where the external .mendsastcli-config.json file is hosted. The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file. The following protocols are supported: ' For example: ' Note:
|
Check Run Settings for SAST (checkRunSettingsSAST
)
Parameter | Type | Description |
---|---|---|
checkRunConclusionLevel | String | Optional. Default Value:
|
severityThreshold | String | Optional. Default Value:
|
Issue Settings for SAST (issueSettingsSAST
)
Parameter | Type | Description |
---|---|---|
issueType | String | Optional. Default Value:
|
minSeverityLevel | String | Optional. Default Value:
|
Check Run Settings (checkRunSettings
)
Parameter | Type | Description |
---|---|---|
useMendCheckNames | Boolean | Optional. Default Value:
Note: When a .whitesource file is created, the value of useMendCheckNames is |
Mend for GitHub Enterprise SAST scan parameters
The following SAST CLI parameters are supported in the .mendsastcli-config.json file:
Parameter | Description |
---|---|
engines | Optional. Default Value: Auto-detects language. A comma-separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). The available Engine IDs can be found in our CLI Parameters documentation. |
javaEngineGeneration | Optional. Default Value:
|
jsEngineGeneration | Optional. Default Value:
|
csharpEngineGeneration | Optional. Default Value:
|
pythonEngineGeneration | Optional. Default Value:
|
template | Optional. Default Value: Engine default configuration. Specifies the scan configuration template created in the web UI |
exclusions | Optional. Default Value: Mend's predefined exclusions. Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths. |
noDefaultExclusions | Optional. Default Value:
|
maxFileSize | Optional. Default Value: |
timeout: perLanguage | Optional. Default Value: |
timeout: perFile | Optional. Default Value: |
timeout: perScan | Optional. Default Value: |
Example Custom Configuration File
{
"scans": {
"engines": [],
"exclusions": [],
"javaEngineGeneration": 2,
"csharpEngineGeneration": 2,
"jsEngineGeneration": 2,
"maxFileSize": 1024,
"timeouts": {
"perFile": 600
"perLanguage": 480
"perScan": 480
}
}
}
Mend for GitHub Enterprise SAST-supported languages
For more information on the languages and frameworks supported by Mend SAST, visit our Mend CLI SAST-supported languages and engine IDs documentation.