Skip to main content
Skip table of contents

Scan your custom code (SAST) with Mend for GitLab

Overview

Mend SAST is a SAST (Static Application Security Testing) solution of our Mend for GitLab integration. Within Mend for GitLab, Mend SAST performs an extensive security analysis of application source code, which automates code inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.

Use cases for SAST scans with Mend for GitLab

Mend for GitLab SAST scans can be utilized in the following ways:

  • You, a developer, complete your latest feature and commit the changes to the remote feature branch. You want to know if you introduced any new security findings so you can fix them immediately.

  • You, a developer, are responsible for fixing a confirmed vulnerability that existed in the code before. You commit your fix and want to see if you have successfully resolved the vulnerability.

  • You, a development team leader, are responsible for a repository and want to make sure there are no high-severity findings in your team’s source code. You want to monitor the overall state of the repository.

Mend’s Answer: With every valid commit, the SAST scan creates a Mend Code Security Check and Code Security Report that offers insights into new, resolved, and overall security findings to help you identify and address problems, without ever needing to leave GitLab.

Getting It Done

Merge Mend’s onboarding PR

Once you have installed the Mend for GitLab, you will see a GitLab Merge Request (MR) created by the whitesource/configure branch appear in your integrated repositories. This is also referred to as the Mend for GitLab "Onboarding MR":

image-20250625-172310.png

The “onboarding MR” will contain the .whitesource file, which handles the configuration of your Mend for GitLab scan. You can edit the .whitesource file before merging the onboarding MR to ensure that your first scan is configured appropriately for your repository:

image-20250625-172340.png

Configure Mend for GitLab for SAST

The .whitesource file is used to configure Mend for SAST scans. To learn more about the SAST-supported languages, configuration, and available parameters, please visit our Configure Mend for GitLab for SAST documentation.

Repository Configuration

Configuring at the local repository level is done via the .whitesource file. The .whitesource file is used to configure your repository settings (i.e. branches, check runs, etc) for SAST scans.

Scan Configuration

Configuring the behavior of your SAST scan (i.e. timeout durations, engines used, etc.) is done via the .mendsastcli-config.json file (which is not part of the onboarding MR and needs to be added manually).

Start your Mend for GitLab SAST scan

In Mend for GitLab, there are two different types of scans for SAST that can be triggered, and, depending on the scan type, the results are computed differently.

Note: Mend for GitLab SAST scans are triggered by the valid push commands listed below. A push command may consist of multiple commits.

Base branch scans

Base branch scans are triggered by the following:

  • For the configured base branch of the repo on any push if it contains source code files with supported file extensions.

  • By clicking the checkbox “Check this box to manually trigger a scan” in the “Code Security Report” GitLab Issue created by a prior SAST scan:

    image-20250625-183420.png

Note: The Code Security Report is only updated on base branch scans.

Feature branch scans

Feature branch scans are triggered by the following:

  • After initiating a PR for a feature branch to the base branch or on any future push after the PR is set to pending.

Notes:

  • We only allow the most recent valid push on the base branch to be retried. Meaning, neutral checkruns don’t count toward this and checkruns before neutral checkruns can be retried. This restriction is only for base branches, feature branches can be retried, regardless of age.

  • Only check runs created after this code is deployed can be retried. Meaning if the user requests a retry of an old check run it will be ignored. This is because new check runs contain some hidden information necessary for the retry.

View the status of your Mend for GitLab SAST scan

Once the scan is started, there is a GitLab check created called the Mend Code Security Check.

Within GitLab, In the Code > commits page of your repository, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:

image-20250625-184551.png

Scan status indicators

In Progress: (Blue circle icon) The SAST scan is currently running:

image-20250625-184621.png

If you initiated the scan from the “Check this box to manually trigger a scan” checkbox, you can also see a “Scan in progress” message within the related “Code Security Report” GitLab Issue:

image-20250625-184816.png

Passed: (Green checkmark icon) The SAST scan did not detect any new findings introduced in this commit:

image-20250625-185146.png

Failed: (Red “X” icon) The SAST scan detected new findings introduced in this commit:

image-20250625-185156.png

Finish your Mend for GitLab SAST scan

Once your Mend for GitLab scan has been completed, there are multiple resources to review your results. For more information to help you understand your findings, visit our View the results of your Mend for GitLab SAST scan documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.