Scan your custom code (SAST) with Mend for GitHub Enterprise
Overview
Mend SAST is a SAST (Static Application Security Testing) solution of our Mend for GitHub Enterprise integration. Within Mend for GitHub Enterprise, Mend SAST performs an extensive security analysis of application source code, which automates code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.
Use cases for SAST scans with Mend for GitHub Enterprise
Mend for GitHub Enterprise SAST scans can be utilized in the following ways:
You, a developer, complete your latest feature and commit the changes to the remote feature branch. You want to know if you introduced any new security findings so you can fix them immediately.
You, a developer, are responsible for fixing a confirmed vulnerability that existed in the code before. You commit your fix and want to see if you have successfully resolved the vulnerability.
You, a development team leader, are responsible for a repository and want to make sure there are no high-severity findings in your team’s source code. You want to monitor the overall state of the repository.
Mend’s Answer: With every valid commit, the SAST scan creates a Mend Code Security Check and Code Security Report that offers insights into new, resolved, and overall security findings to help you identify and address problems, without ever needing to leave GitHub Enterprise.
Getting It Done
Merge Mend’s onboarding PR
Once you have installed the Mend for GitHub Enterprise app, you will see a GitHub Pull Request (PR) created by the whitesource/configure branch appear in your integrated repositories. This is also referred to as the “Mend for GitHub Enterprise onboarding PR.”:
The “onboarding PR” will contain the .whitesource file, which handles the configuration of your Mend for GitHub Enterprise scan. You can edit the .whitesource file before merging the onboarding PR to ensure that your first scan is configured appropriately for your repository:
Configure your Mend for GitHub Enterprise SAST scan
To learn more about the SAST-supported languages, configuration files, and available parameters, please visit our Configure Mend for GitHub Enterprise for SAST documentation.
Repository Configuration
Configuring at the local repository level is done via the .whitesource file. The .whitesource file is used to configure your repository settings (i.e. branches, check runs, etc) for SAST scans.
Scan Configuration
Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is done via the .mendsastcli-config.json file.
Re-run a prior Mend SAST scan via GitHub check
You can re-run a previously failed Mend Code Security Check on a commit using the re-run options within the GitHub checks. When clicking on Re-run or Re-run failed checks, an SAST scan will run again on the relevant commit, and both the Mend Code Security Check will be updated:
Notes:
We only allow the most recent valid push on the base branch to be retried. Meaning, neutral checkruns don’t count toward this and checkruns before neutral checkruns can be retried. This restriction is only for base branches, feature branches can be retried, regardless of age.
Only check runs created after this code is deployed can be retried. Meaning if the user requests a retry of an old check run it will be ignored. This is because new check runs contain some hidden information necessary for the retry.
There is a 5-minute period that prevents a user from pressing the “Re-run” button more than once in 5 minutes. Any attempts within the 5-minute period will be ignored until the cooldown expires.
Start your Mend for GitHub Enterprise SAST scan
In Mend for GitHub Enterprise, there are two different types of scans for SAST that can be triggered, and, depending on the scan type, the results are computed differently.
Note: Mend for GitHub Enterprise SAST scans are triggered by the valid push commands listed below. A push command may consist of multiple commits.
Base branch scans
Base branch scans are triggered by the following:
For the configured base branch of the repo on any push if it contains source code files with supported file extensions.
By clicking the checkbox “Check this box to manually trigger a scan” in the “Code Security Report” GitHub Issue created by a prior SAST scan:
Note: The Code Security Report is only updated on base branch scans.
Feature branch scans
Feature branch scans are triggered by the following:
After initiating a PR for a feature branch to the base branch or on any future push after the PR is set to pending.
View the status of your Mend for GitHub Enterprise SAST scan
Once the scan is started, there is a GitHub check created called Mend Code Security Check.
Within GitHub, In the Code > commits page of your repository, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:
Scan status indicators
In Progress: (Orange circle icon) The SAST scan is currently running:
If you initiated the scan from the “Check this box to manually trigger a scan” checkbox, you can also see a “Scan in progress” message within the related “Code Security Report” GitHub Issue:
Neutral: (Gray box icon) The SAST scan did not run because a valid scan initiation action did not occur or the scan could not be performed for other reasons. A message in the check will inform you about the reason:
Success: (Green checkmark icon) The SAST scan did not detect any new findings introduced in this commit:
Failed: (Red “X” icon) The SAST scan detected new findings introduced in this commit:
Finish your Mend for GitHub Enterprise SAST scan
Once your Mend for GitHub Enterprise scan has been completed, there are multiple resources to review your results. For more information to help you understand your findings, visit our View the results of your Mend for GitHub Enterprise SAST scan documentation.