Scan your custom code (SAST) with Mend for GitLab
Overview
Mend SAST is a SAST (Static Application Security Testing) solution of our Mend for GitLab integration. Within Mend for GitLab, Mend SAST performs an extensive security analysis of application source code, which automates code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.
Use cases for SAST scans with Mend for GitLab
Mend for GitLab SAST scans can be utilized in the following ways:
You, a developer, complete your latest feature and commit the changes to the remote feature branch. You want to know if you introduced any new security findings so you can fix them immediately.
You, a developer, are responsible for fixing a confirmed vulnerability that existed in the code before. You commit your fix and want to see if you have successfully resolved the vulnerability.
You, a development team leader, are responsible for a repository and want to make sure there are no high-severity findings in your team’s source code. You want to monitor the overall state of the repository.
Mend’s Answer: With every valid commit, the SAST scan creates a Mend Code Security Check and Code Security Report that offers insights into new, resolved, and overall security findings to help you identify and address problems, without ever needing to leave GitLab.
Getting It Done
Merge Mend’s onboarding PR
Once you have installed the Mend for GitLab, you will see a GitLab Merge Request (MR) created by the whitesource/configure
branch appear in your integrated repositories. This is also referred to as the Mend for GitLab "Onboarding MR":

The “onboarding MR” will contain the .whitesource file, which handles the configuration of your Mend for GitLab scan. You can edit the .whitesource file before merging the onboarding MR to ensure that your first scan is configured appropriately for your repository:

Configure Mend for GitLab for SAST
The .whitesource file is used to configure Mend for SAST scans. To learn more about the SAST-supported languages, configuration, and available parameters, please visit our Configure Mend for GitLab for SAST documentation.
Repository Configuration
Configuring at the local repository level is done via the .whitesource file. The .whitesource file is used to configure your repository settings (i.e. branches, check runs, etc) for SAST scans.
Scan Configuration
Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is done via the .mendsastcli-config.json file (which is not part of the onboarding MR and needs to be added manually).
Start your Mend for GitLab SAST scan
In Mend for GitLab, there are two different types of scans for SAST that can be triggered, and, depending on the scan type, the results are computed differently.
Note: Mend for GitLab SAST scans are triggered by the valid push commands listed below. A push command may consist of multiple commits.
Base branch scans
Base branch scans are triggered by the following:
For the configured base branch of the repo on any push if it contains source code files with supported file extensions.
By clicking the checkbox “Check this box to manually trigger a scan” in the “Code Security Report” GitLab Issue created by a prior SAST scan:
Note: The Code Security Report is only updated on base branch scans.
Feature branch scans
Feature branch scans are triggered by the following:
After initiating a PR for a feature branch to the base branch or on any future push after the PR is set to pending.
Notes:
We only allow the most recent valid push on the base branch to be retried. Meaning, neutral checkruns don’t count toward this and checkruns before neutral checkruns can be retried. This restriction is only for base branches, feature branches can be retried, regardless of age.
Only check runs created after this code is deployed can be retried. Meaning if the user requests a retry of an old check run it will be ignored. This is because new check runs contain some hidden information necessary for the retry.
View the status of your Mend for GitLab SAST scan
Once the scan is started, there is a GitLab check created called the Mend Code Security Check.
Within GitLab, In the Code > commits page of your repository, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:

Scan status indicators
In Progress: (Blue circle icon) The SAST scan is currently running:

If you initiated the scan from the “Check this box to manually trigger a scan” checkbox, you can also see a “Scan in progress” message within the related “Code Security Report” GitLab Issue:

Passed: (Green checkmark icon) The SAST scan did not detect any new findings introduced in this commit:

Failed: (Red “X” icon) The SAST scan detected new findings introduced in this commit:

Finish your Mend for GitLab SAST scan
Once your Mend for GitLab scan has been completed, there are multiple resources to review your results. For more information to help you understand your findings, visit our View the results of your Mend for GitLab SAST scan documentation.