Skip to main content
Skip table of contents

Scan your custom code (SAST) with Mend for GitHub.com

Overview

Mend SAST is a SAST (Static Application Security Testing) solution of our Mend for GitHub.com integration. Within Mend for GitHub.com, Mend SAST performs an extensive security analysis of application source code, which automates code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.

Use Cases

Mend for GitHub.com SAST scans can be utilized in the following ways:

  • You, a developer, complete your latest feature and commit the changes to the remote feature branch. You want to know if you introduced any new security findings so you can fix them immediately.

  • You, a developer, are responsible for fixing a confirmed vulnerability that existed in the code before. You commit your fix and want to see if you have successfully resolved the vulnerability.

  • You, a development team leader, are responsible for a repository and want to make sure there are no high-severity findings in your team’s source code. You want to monitor the overall state of the repository.

Mend’s Answer: With every valid commit, the SAST scan creates a Mend Code Security Check and Code Security Report that offers insights into new, resolved, and overall security findings to help you identify and address problems, without ever needing to leave GitHub.com.

Getting It Done

Merge Mend’s onboarding PR

Once you have installed the Mend for GitHub.com app, you will see a GitHub Pull Request (PR) created by the whitesource/configure branch appear in your integrated repositories. This is also referred to as the “Mend for GitHub.com onboarding PR.”:

The “onboarding PR” will contain the .whitesource file, which handles the configuration of your Mend for GitHub.com scan. You can edit the .whitesource file before merging the onboarding PR to ensure that your first scan is configured appropriately for your repository:

Configure your Mend for GitHub.com SAST scan

Repository Configuration

Configuring at the local repository level is done via the .whitesource file. The .whitesource file is used to configure your repository settings (i.e. branches, check runs, etc) for SAST scans.

Scan Configuration

Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is done via the .mendsastcli-config.json file.

Start your Mend for GitHub.com SAST scan

In Mend for GitHub.com, there are two different types of scans for SAST that can be triggered, and, depending on the scan type, the results are computed differently.

Note: Mend for GitHub.com SAST scans are triggered by the valid push commands listed below. A push command may consist of multiple commits.

Base branch scans

Base branch scans are triggered by the following:

  • For the configured base branch of the repo on any push if it contains source code files with supported file extensions.

  • By clicking the checkbox “Check this box to manually trigger a scan” in the “Code Security Report” GitHub Issue created by a prior SAST scan:

Note: The Code Securty Report is only updated on base branch scans.

Feature branch scans

Feature branch scans are triggered by the following:

  • After initiating a PR for a feature branch to the base branch or on any future push after the PR is set to pending.

Re-run a prior Mend SAST scan via GitHub check

You can re-run a previously failed Mend Code Security Check on a commit using the re-run options within the GitHub checks. When clicking on Re-run or Re-run failed checks, an SAST scan will run again on the relevant commit, and both the Mend Code Security Check will be updated:

Notes:

  • We only allow the most recent valid push on the base branch to be retried. Meaning, neutral checkruns don’t count toward this and checkruns before neutral checkruns can be retried. This restriction is only for base branches, feature branches can be retried, regardless of age.

  • Only check runs created after this code is deployed can be retried. Meaning if the user requests a retry of an old check run it will be ignored. This is because new check runs contain some hidden information necessary for the retry.

  • There is a 5-minute period that prevents a user from pressing the “Re-run” button more than once in 5 minutes. Any attempts within the 5-minute period will be ignored until the cooldown expires.

View the status of your Mend for GitHub.com SAST scan

Once the scan is started, there is a GitHub check created called Mend Code Security Check.

Within GitHub, In the Code > commits page of your repository, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:

Scan status indicators

In Progress: (Orange circle icon) The SAST scan is currently running:

  • If you initiated the scan from the “Check this box to manually trigger a scan” checkbox, you can also see a “Scan in progress” message within the related “Code Security Report” GitHub Issue:

Neutral: (Gray box icon) The SAST scan did not run because a valid scan initiation action did not occur or the scan could not be performed for other reasons. A message in the check will inform you about the reason:

Success: (Green checkmark icon) The SAST scan did not detect any new findings introduced in this commit:

Failed: (Red “X” icon) The SAST scan detected new findings introduced in this commit:

Finish your Mend for GitHub.com SAST scan

Once your Mend for GitHub.com scan has been completed, there are multiple resources to review your results. For more information to help you in understanding your findings, visit our View the results of your Mend for GitHub.com SAST scan documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.