Skip to main content
Skip table of contents

Configure Mend for GitHub Enterprise for SAST

Overview

Mend for GitHub Enterprise offers several parameters to configure your SAST scans and GitHub checks.

Getting It Done

Mend for GitHub Enterprise SAST repository configuration

Configuration at the local repository level is done via the .whitesource file. To configure your repository settings (i.e. branches, check runs, etc) for SAST scans, see the Repository Parameters section provided in this documentation. Below is an example of fine-tuning a repository’s .whitesource file:

CODE
{
  "scanSettingsSAST": {
    "enableScan": true,
    "scanPullRequests": true,
    "incrementalScan": false,
    "baseBranches": ["integration"]
  },
  "checkRunSettingsSAST": {
    "checkRunConclusionLevel": "failure",
    "severityThreshold": "high"
  },
    "issueSettingsSAST": {
    "issueType": "repo",
    "minSeverityLevel": "high"
  }
}

Note: For global configuration, parameters are set via the repo-config.json file. See our Set up global configuration for Mend for GitHub Enterprise documentation for more information.

Mend for GitHub Enterprise SAST scan configuration

Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is possible via the .mendsastcli-config.json file. The available implementation options for this file are:

  • Include the .mendsastcli-config.json file in the root of your integrated repository.

    • If the .mendsastcli-config.json file exists and is changed on a valid feature branch (i.e. with a PR to the base branch), the configuration will still come from the base branch.

  • Include the .mendsastcli-config.json file at the location declared in the scanSettingsSAST.configExternalURL parameter in your .whitesource file.

  • If the .mendsastcli-config.json does not exist, the Mend SAST scan will run with our default configuration on your integrated repository.

The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file. For more information on the supported scan parameters for the .mendsastcli-config.json file, see the Scan Parameters section provided in this documentation.

Reference

Mend for GitHub Enterprise SAST repository parameters

Scan Settings (scanSettingsSAST)

Parameter

Type

Description

enableScan

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Enable Mend for GitHub Enterprise’s SAST scan.

  • false - Disable Mend for GitHub Enterprise’s SAST scan.

baseBranches

Array

Optional. Default Value: Your GitHub Enterprise "default" branch. Trigger a SAST scan for each commit to the specified branch.

Example usage:

CODE
"baseBranches": ["integration"]

This will set the integration branch as the base branch.

Note: Currently, only one branch is allowed to be listed in the baseBranches parameter. Allowing more than one branch name, for example ["master", "integration"], is planned for future release.

scanPullRequests

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Enable scanning feature branches if they have a pull request to the configured base branch.

  • false - Disable scanning feature branches.

Note: If you run SAST scans on a feature branch, the scans are not visible in the scans table of the Mend SAST web application. The results are also not added to trend information or any dashboards with the Mend SAST web application.

The results of the feature branch scan are only for you as a developer to help you to get confidence in your code before you merge it.

incrementalScan

Boolean

Optional. Default Value: true. Enable a faster scan by outputting results which are relative to the previous scan. The scan is compared against the latest scan on the base branch.

Notes:

  • To perform incremental scans on feature branches, it’s required to set scanPullRequests to true.

  • When incrementalScan is set to true, feature branch scans will always be incremental.

  • Base branch scans will be incremental as long as there are no changes in the scan engine that are relevant to the scanned project (e.g., Java for Java projects).

snippetSize

Integer

Optional. Default Value: 10. Adjust the amount of lines that are displayed in the snippets that appear in the MendSAST application under the findings' Details section. In case snippetSize is set to 0, no snippets will be included in the Details section.

configExternalURL

String

Optional. Default Value: N/A. The URL where the external .mendsastcli-config.json file is hosted. The .mendsastcli-config.json file content needs to be in the same format as the SAST CLI configuration file.

The following protocols are supported: 'ftp://', 'http://', 'https://'.

For example: 'https://mydomain.com/mend-sast-settings/.mendsastcli-config.json'.

Note:

  • If configExternalURL is left empty or does not exist, the integration will look for a .mendsastcli-config.json file at the root of the repository in your base branch.

  • If configExternalURL is left empty or does not exist AND a .mendsastcli-config.json file does not exist, the integration will use our default configuration.

Check Run Settings for SAST (checkRunSettingsSAST)

Parameter

Type

Description

checkRunConclusionLevel

String

Optional. Default Value: failure. Determine when the commit should return a failure or success on “New findings” introduced in the commit. The available parameter values are:

  • failure - Commit will fail when the SAST scan returns “New findings” which are more severe than the severityThreshold.

  • success - Commit will succeed despite any “New findings” returned by the SAST scan.

severityThreshold

String

Optional. Default Value: High. Set the threshold of “New findings” introduced in the commit which would trigger checkRunConclusionLevel to return a failed build. The available parameter values are:

  • high - Trigger the threshold when the scan outputs a new finding of severity high or above.

  • medium - Trigger the threshold when the scan outputs a new finding of severity medium or above.

  • low - Trigger the threshold when the scan outputs a new finding of severity low or above.

Issue Settings for SAST (issueSettingsSAST)

Parameter

Type

Description

issueType

String

Optional. Default Value: repo. The SAST scan produces a single scan report issue for the whole repo, by default, to minimize noise levels. However, the issueType parameter allows to control that. Setting it to “finding” will change the behavior, so an issue will be created for each finding. The available parameter values are:

  • repo - Generate one scan report issue for the entire repo (default).

  • finding - Generate an issue per finding.

minSeverityLevel

String

Optional. Default Value: High. When issueType is set to finding, this parameter specifies the minimum severity of a finding that should be reported as an issue. No issues will be created for findings with a lower severity. This allows you to minimize noise levels.

  • high - Issues are created only for findings with ‘high’ severity.

  • medium - Issues are created only for findings with ‘medium’ severity or above.

  • low - Issues are created for all findings.

Check Run Settings (checkRunSettings)

Parameter

Type

Description

useMendCheckNames

Boolean

Optional. Default Value: false. The available parameter values are:

  • true - Names of all Checks will be named after Mend. For example: Mend Code Security Check.

  • false - Names of all Checks will be named after WhiteSource. For example: WhiteSource Code Security Check.

Note: When a .whitesource file is created, the value of useMendCheckNames is true.

Mend for GitHub Enterprise SAST scan parameters

The following SAST CLI parameters are supported in the .mendsastcli-config.json file:

Parameter

Description

engines

Optional. Default Value: Auto-detects language. A comma-separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). The available Engine IDs can be found in our CLI Parameters documentation.

javaEngineGeneration

Optional. Default Value: 1. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are:

  • 1 - Use Java engine 1

  • 2 - Use Java engine 2

jsEngineGeneration

Optional. Default Value: 1. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are:

  • 1 - Use JavaScript engine generation 1

  • 2 - Use JavaScript engine generation 2

csharpEngineGeneration

Optional. Default Value: 1. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are:

  • 1 - Use C# engine generation 1

  • 2 - Use C# engine generation 2

pythonEngineGeneration

Optional. Default Value: 1. Specifies which generation of Python detection engine is used to perform the scan. The available parameters are:

  • 1 - Use Python engine generation 1

  • 2 - Use Python engine generation 2

template

Optional. Default Value: Engine default configuration. Specifies the scan configuration template created in the web UI

exclusions

Optional. Default Value: Mend's predefined exclusions. Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths.

noDefaultExclusions

Optional. Default Value: false. The available parameter values are:

  • true - Override the excluded default paths predefined by Mend, allowing them to be included in the scan.

  • false - Excludes the default paths predefined by Mend. These paths will not be included in the scan.

maxFileSize

Optional. Default Value: 1024 KB. Set the maximum file size above which a file will be ignored during the scan.

timeout: perLanguage

Optional. Default Value: 480 minutes per language. Scan time in minutes per language, after which the analysis will be stop and continue to the next language, if applicable.

timeout: perFile

Optional. Default Value: 60 seconds per file. Scan time in seconds per individual file, after which the analysis will stop and continue to the next file, if applicable.

timeout: perScan

Optional. Default Value: 600 seconds per scan. Define the number of seconds that running a scan will trigger Exit Code 9.

Example Custom Configuration File

CODE
{
    "scans": {
        "engines": [],
        "exclusions": [],
        "javaEngineGeneration": 2,
        "csharpEngineGeneration": 2,
        "jsEngineGeneration": 2,
        "maxFileSize": 1024,
        "timeouts": {
            "perFile": 600
            "perLanguage": 480
            "perScan": 480
        }
    }   
}

Mend for GitHub Enterprise SAST-supported languages

For more information on the languages and frameworks supported by Mend SAST, visit our Mend CLI SAST-supported languages and engine IDs documentation.

 

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.