Scan your custom code (SAST) with the Mend CLI
Overview
The Mend CLI Static Application Security Testing (SAST) engine performs an extensive security analysis of application source code, which automates inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.
Use cases for scanning your Code with the Mend CLI
Let’s look at the following real-life examples that industry personas commonly run into:
As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect custom code weaknesses in your teams' applications and provide remediation suggestions. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s custom code in the form of dashboards.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on code weaknesses in your teams' applications directly within the pipeline console.
Mend’s Answer: Utilizing the Mend CLI SAST scan, you can effortlessly assess your custom code for security weaknesses and components that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend SAST Application, and can also be exported into reports in various supported file formats.
Getting it done
Prerequisites before getting started with the Mend CLI SAST scan
The following prerequisites are required before running a Mend CLI SAST scan:
Provide the Mend CLI with access to read your application’s source code on a file system
Configure your Mend CLI SAST scan
The Mend CLI SAST scan is configurable via command line parameters, environment variables, and a dedicated JSON file. To learn more about our SAST-supported languages and configurations, visit our Configure the Mend CLI for SAST article.
Run your Mend CLI SAST scan
To trigger the Mend CLI SAST scan, execute the following command:
mend code
Note: Backwards compatibility is supported for the previously used mend sast
command. However, we recommend switching to the updated command at your earliest availability.
The usage of the mend code
command is as follows:
mend code [flags]
View the steps of your Mend CLI SAST scan
The Mend CLI has four default steps you will see it complete before it displays its findings from the SAST scan:
Step Name | Description |
---|---|
| The Mend CLI confirms if you are on the latest version. |
| If you are not on the latest version, and auto-updates are enabled, the Mend CLI will update to the latest version. |
| The Mend CLI tests the application files within the defined directory. |
| An analysis is completed on every language detected from the Mend CLI (or the languages defined in your configuration). If any weaknesses are found, the Mend CLI reaches out to the Mend SAST Application for information on these findings to prepare them for the scan summary. |
View your Mend CLI SAST scan results
Visit our View the results of your Mend CLI SAST scan article for more details on how to navigate the SAST findings provided by the Mend CLI.
Reference
Mend CLI SAST features
In this article, we cover the instructions on how to kick off a base Mend CLI SAST scan. We also offer examples of the Mend CLI SAST feature(s) below: