Run an incremental Mend SAST CLI code scan

Overview

The Mend CLI offers the option to run incremental scans of your custom code which check only the changes in your code since the previous Mend CLI SAST scan. This reduces the run time of your scan, because a much smaller code base has to be analyzed.

Note: This article specifically covers the usage of the Mend CLI’s incremental code scan feature. For general information on scanning your custom code (SAST) with the Mend CLI, check out these articles:

• Scan your custom code (SAST) with the Mend CLI

  • Configure the Mend CLI for SAST

  • View the results of your Mend CLI SAST scan

Getting it done

Prerequisites before starting the incremental Mend CLI code scan

The following prerequisites are required before running an incremental Mend CLI code scan:

1. Download the Mend CLI.

2. Authenticate your login for the Mend CLI.

3. Provide the Mend CLI with access to read your application’s source code on a file system.

4. You must first run a full scan and upload it as a baseline for all future incremental scans, using the --upload-baseline parameter. An example of this configuration and the command is provided below:

   CODE

   mend code --dir <pathname_to_project> --upload-baseline

Run the incremental Mend CLI code scan

To initiate the incremental Mend CLI code scan, run the following command:

mend code --dir <pathname_to_project> --inc

Notes:

• Backwards compatibility is supported for the previously used mend sast command. However, we recommend switching to the updated mend code command at your earliest availability.

• If --inc is used together with --upload-baseline, a full scan is executed when the previous baseline was created with an older version of the engine.