Configure the Mend CLI for SAST

Overview

Configuring the Mend CLI for a SAST scan can be done via command line parameters or environment variables.

Tip: For inline assistance, use the mend code -h or mend code --help commands.

Getting it done

Configure the Mend CLI SAST scan via command line parameters

You can configure the Mend CLI SAST scan at runtime by adding flags to the mend code command. The usage of the mend code command is as follows:

CODE

mend code [flags]

Note: Backwards compatibility is supported for the previously used mend sast command. However, we recommend switching to the updated command at your earliest availability.

Configure the Mend CLI SAST scan via environment variables

You can configure the Mend CLI SAST scan by defining environment variables. To define the variables in your environment, you can:

Set environment variables prior to the Mend CLI run to persist between sessions:
- In MacOS and Linux, use a shell startup script
- In Windows, use the setx command.
  - setx VARIABLE "MYVALUE"
Set environment variables prior to the Mend CLI run, for the current session only:
- In MacOS and Linux, use the export command.
  - export VARIABLE=value
- In Windows, use the set command.
  - set VARIABLE=value

Reference

Mend CLI SAST parameters

The Mend CLI SAST parameters provided below are organized alphabetically within each of their relevant contexts.

Note: Not all configuration types (Command Line, Environment Variable) exist for each parameter. The configuration type(s) will have "N/A" for a parameter if it is not available.

Mend CLI SAST - General scan parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_CONTAINER_HOST_ADDRESS`	Required for Podman Desktop users. Allows for the support of Mend CLI scans in Podman Desktop environments on macOS. The available values are: `host.containers.internal`: Automatically evaluates the host IP address. Exact IP Address: Insert the IP address of your local host machine (typically `192.168.x.x`). Note: The Podman machine must be created with `root privileges` (See Podman Desktop documentation: Creating a Podman machine). If you used the Mend CLI prior to `v23.10.2`, after updating, make sure to delete the .mend folder before running your next scan (i.e. `rm -rf ~/.mend`).	Parameter is omitted.
Command Line: `-d, --dir` Environment Variable: `MEND_SAST_TARGET_DIRECTORY`	Optional. Specify the target directory for the Mend CLI SAST scan.	Current directory (“`.`") will be scanned.
Command Line: `-e, --engines` Environment Variable: `MEND_SAST_ENGINES`	Optional. Specifies which SAST engines should be used by their IDs. Omit this parameter for auto-recognition. For more information on supported langauges and their engine IDs, please visit the Mend CLI SAST-supported languages and engine IDs section within this documentation.	Parameter is omitted, enabling language auto-recognition.
Command Line: `--java-engine-generation` Env Variable: `MEND_SAST_JAVA_ENGINE_GENERATION`	Optional. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are: `1` - Use Java engine generation 1 `2` - Use Java engine generation 2	`1`
Command Line: `--js-engine-generation` (short notation: `--js`) Env Variable: `MEND_SAST_JS_ENGINE_GENERATION`	Optional. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are: `1` - Use JavaScript engine generation 1 `2` - Use JavaScript engine generation 2	`1`
Command Line: `--csharp-engine-generation` (short notation: `--cs`) Env Variable: `MEND_SAST_CSHARP_ENGINE_GENERATION`	Optional. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are: `1` - Use C# engine generation 1 `2` - Use C# engine generation 2	`1`
Command Line: `--python-engine-generation` (short notation: `--py`) Env Variable: `MEND_SAST_PYTHON_ENGINE_GENERATION`	Optional. Specifies which generation of Python detection engine is used to perform the scan. The available parameters are: `1` - Use Python engine generation 1 `2` - Use Python engine generation 2	`1`
Command Line: `--num-cpu` Environment Variable: `CPU_NUMBER`	Optional. Specify the number of processor units for multicore processing. On Linux CFS, quota is applied.	`8`
Command Line: `--retries` Environment Variable: `MEND_SAST_SCAN_RETRIES`	Optional. Specify the number of automatic scan retries in case of failures. Retries ignore files where the scan got stuck in the previous attempt.	`0`
Command Line: `-t, --template` Environment Variable: `MEND_SAST_TEMPLATE`	Optional. Specify the scan configuration template created in the Mend Application.	This parameter is omitted, so the scan uses the Mend predefined configuration for each Language (engine ID) identified.

Mend CLI SAST - Incremental scan parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `--baseline-storage` Environment Variable: `MEND_SAST_BASELINE_STORAGE`	Optional. Define the directory path of the baseline for future incremental scans. See `--upload-baseline` for more details	Incremental scans are disabled by default.
Command Line: `-i, --inc` Environment Variable: `MEND_SAST_INCREMENTAL_SCAN`	Optional. Enable incremental scanning, which sets the Mend CLI to only check for code changes from the previous scan. This parameter requires an existing baseline (see `--upload-baseline`).	Incremental scans are disabled by default.
Command Line: `--no-baseline` Environment Variable:	Optional. Disable the creation of a baseline dump.	Incremental scans are disabled by default.
Command Line: `--upload-baseline` Environment Variable: `MEND_SAST_UPLOAD_BASELINE`	Optional. Define the scan as a baseline for future incremental scans. The baseline will include minimum relevant fragments of code representation in order to enable incremental scans.	Incremental scans are disabled by default.

Note:

If --inc is used together with --upload-baseline, a full scan is executed when the previous baseline was created with an older version of the engine.

Mend CLI SAST - Log parameters

Tip: The Mend CLI SAST scan logs can be found locally in the .mend/logs/sast directory.

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_CACHE_PATH`	Optional. Define the local path where cached data is stored during a Mend SAST CLI scan.	Cached data is found locally in the `.mend/storage/sast` directory.
Command Line: N/A Environment Variable: `MEND_LOG_LEVEL`	Optional. Define the verbosity of the Mend SAST CLI logs. The available values are: `DEBUG` - Includes additional scan behavior that can help with troubleshooting. `INFO` - Includes basic scan behavior. Note: Currently only available for the new generation of C#, Java, JavaScript and TypeScript	`INFO`
Command Line: `--no-logs` Environment Variable: `MEND_SAST_NO_LOGS`	Optional. Disable the submission of the Mend CLI SAST scan logs to Mend.	Parameter is omitted, causing the scan logs to be uploaded to Mend.
Command Line: N/A Environment Variable: `MEND_SAST_STORAGE_LIMIT`	Optional. Define the amount of disc size in megabytes that is used for storing logs. If this limit is reached, the log files will be deleted automatically, starting with the oldest created date.	`2048 MB`

Mend CLI SAST - Report parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `--filename` Environment Variable: `MEND_SAST_REPORT_FILENAME`	Optional. The SAST report filename. File extensions are automatically appended. See `-r, --report` and `--formats` parameters for report creation.	Report creation is not enabled.
Command Line: `--formats` Environment Variable: `MEND_SAST_REPORT_FORMATS`	Optional. SAST report file formats. This parameter requires enabling report creation (see `-r, --report`). The available parameter values are: `html` `pdf` `xml` `json` `csv` `sarif`	Report creation is not enabled.
Command Line: `-r, --report` Environment Variable: `MEND_SAST_GENERATE_REPORT`	Optional. Enable the creation of reports containing the scan results. See `--formats` parameter for supported file formats.	Report creation is not enabled.
Command Line: N/A Environment Variable: `MEND_SAST_REPORT_LEVEL`	Optional. Specify the granularity level of the generated report file. The available parameter values are: `"short"` - Short technical report that does not include vulnerability data flows. `"summary"` - Summary report with no individual vulnerability details. `"technical"` - Full technical report.	The report is created with the Mend SAST report type set to “`technical`".
Command Line: N/A Environment Variable: `MEND_SAST_REPORT_TYPE`	Optional. Specify the type of the generated compliance report. The available parameter values are: `"CAPEC"` `"Default"` `"HIPAA"` `"HITRUST"` `"NIST"` `"OWASP2021"` `"OWASP2017"` `"PCI"` `"SANS"`	The report is created with the Mend SAST report level set to “`Default`".

Mend CLI SAST - Terminal view parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `-h, --help` Environment Variable: N/A	Optional. Display the available parameters for the `mend sast` command.	Use this parameter on-demand to display the available parameters for the `mend sast` command.
Command Line: `--non-interactive` Environment Variable: N/A	Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.	Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Mend CLI SAST - Threshold parameters (Policy)

You can set your build to fail by defining the threshold parameters provided below for the Mend CLI SAST scan. If your scan results violate the threshold parameters in place, the Mend CLI will exit with Exit Code 9.

Note:

We recommend avoiding breaking builds unless you have carefully defined your thresholds and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes.
The threshold parameters are only configurable by environment variables.

Parameter	Description	Mend CLI Default Behavior
Environment Variable: `MEND_SAST_THRESHOLD_CWE`	Optional. Define the specific CWE IDs as a comma-separated list that will trigger Exit Code 9.	Parameter is omitted.
Environment Variable: `MEND_SAST_THRESHOLD_HIGH`	Optional. Define the number of high-severity findings that will trigger Exit Code 9.	Parameter is omitted.
Environment Variable: `MEND_SAST_THRESHOLD_LOW`	Optional. Define the number of low-severity findings which trigger Exit Code 9.	Parameter is omitted.
Environment Variable: `MEND_SAST_THRESHOLD_MEDIUM`	Optional. Define the number of medium-severity findings which trigger Exit Code 9.	Parameter is omitted.
Environment Variable: `MEND_SAST_THRESHOLD_ONLY_NEW`	Optional. Define the Mend CLI SAST scan threshold based on new findings that violate any of the `HIGH`, `MEDIUM`, and `LOW` thresholds. The available values are: `TRUE` - Scan will exit with Exit Code 9 only if it detects new findings that violate any of the defined `HIGH`, `MEDIUM`, and `LOW` thresholds.	Parameter is omitted.

Mend CLI SAST - Scan Performance parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_MAX_FILE_SIZE`	Sets a maximum file size above which a file will be ignored during the scan. Default is 1024 KB	Command Line: N/A Environment Variable: `MEND_SAST_MAX_FILE_SIZE`
Command Line: N/A Environment Variable: `MEND_SAST_PATH_EXCLUSIONS`	Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths. Note: Path exclusions specified for a scan in the CLI are only applicable for that particular scan.	Command Line: N/A Environment Variable: `MEND_SAST_PATH_EXCLUSIONS`
Command Line: `--no-default-exclusions` Environment Variable: `MEND_SAST_NO_DEFAULT_EXCLUSIONS`	If specified, default path exclusions predefined by Mend (which ignore e.g. library directories) are not taken into account.	Command Line: `--no-default-exclusions` Environment Variable: `MEND_SAST_NO_DEFAULT_EXCLUSIONS`
Command Line: N/A Environment Variable: `MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS`	Optional. Configure the number of analysis steps of the type analysis for the Gen 2 engines. Default: Unlimited	Command Line: N/A Environment Variable: `MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS`

Mend CLI SAST - Timeout parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_LANGUAGE`	Optional. Define the timeout in minutes per language. If a language violates the defined timeout value, the Mend CLI will skip the language and continue on, resulting in a partial scan.	480 minutes per language
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_FILE`	Optional. Define the timeout in seconds per individual file. If a file violates the defined timeout value, the Mend CLI will skip the file and continue on, resulting in a partial scan.	The default depends on the analyzed programming language.
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_TOTAL`	Optional. Define the number of minutes that running a scan will trigger Exit Code 9. Note: MEND_SAST_THRESHOLD_RUNTIME is still supported to maintain backward compatibility.	480 minutes

Mend CLI SAST - Upload parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `-a, --app` Environment Variable: `MEND_SAST_APPLICATION`	Notice: This parameter is only applicable for scans sent to the Mend SAST Application. Mend Platform Application scans should use the `-s, --scope` parameter. If you want to perform a scan against the Mend Platform, please check the documentation here. Optional. Specifiy the scan parent application name and inherits its parameters.	The scan is named after the directory that is being scanned. The parameters that are used are the Mend predefined configurations for each Langauge (engine ID) identified.
Command Line: `-n, --name` Environment Variable: `MEND_SAST_SCAN_NAME`	Optional. Specify the scan name. Auto-generated if omitted.	Parameter is omitted, causing the scan name to be auto-generated.
Command Line: `--snippet-size` Environment Variable: `MEND_SAST_SNIPPET_SIZE`	Optional. Specify the size of source code snippets (lines of code) submitted to the Mend Application. If `--snippet-size` is set to 0, no source code snippets will be uploaded to Mend.	`10`

Mend CLI SAST-supported languages and engine IDs

The following languages and their associated engine IDs (see -e, --engines parameter) are supported by the Mend CLI for SAST scans:

Engine ID	Language
`1`	Java
`2`	C#
`3`	PHP
`4`	Python
`5`	Ruby
`6`	ASP Classic/Visual Basic/VBScript
`7`	VB Shop
`8`	JavaScript / Node.js
`9`	PLSQL
`10`	Android Java
`11`	iOS Objective-C
`12`	C/C++
`13`	ColdFusion
`14`	Groovy
`15`	TypeScript
`16`	Cobol
`17`	ABAP
`18`	Go
`19`	Swift
`20`	Apex
`21`	Kotlin
`22`	Xamarin (C#)
`23`	Kotlin Mobile
`24`	R
`101`	Java, gen 2
`102`	C#, gen 2
`108`	JavaScript, gen 2 / TypeScript, gen 2

Mend CLI SAST exit codes

Note: For a comprehensive overview of Mend CLI SAST exit codes, please refer to our Mend CLI Exit Codes article.