Skip to main content
Skip table of contents

Scan your custom code (SAST) with the Mend CLI

Overview

The Mend CLI Static Application Security Testing (SAST) engine performs an extensive security analysis of application source code, which automates inspection as an alternative to the demanding and time-consuming procedure of manual code reviews.

Use cases for scanning your Code with the Mend CLI

Let’s look at the following real-life examples that industry personas commonly run into:

  • As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect custom code weaknesses in your teams' applications and provide remediation suggestions. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s custom code in the form of dashboards.

  • As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on code weaknesses in your teams' applications directly within the pipeline console.

Mend’s Answer: Utilizing the Mend CLI SAST scan, you can effortlessly assess your custom code for security weaknesses and components that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend SAST Application, and can also be exported into reports in various supported file formats.

Getting it done

Prerequisites before getting started with the Mend CLI SAST scan

The following prerequisites are required before running a Mend CLI SAST scan:

Configure your Mend CLI SAST scan

The Mend CLI SAST scan is configurable via command line parameters, environment variables, and a dedicated JSON file. To learn more about our SAST-supported languages and configurations, visit our Configure the Mend CLI for SAST article.

Run your Mend CLI SAST scan

To trigger the Mend CLI SAST scan, execute the following command:

CODE
mend code

Note: Backwards compatibility is supported for the previously used mend sast command. However, we recommend switching to the updated command at your earliest availability.

The usage of the mend code command is as follows:

CODE
mend code [flags]

View the steps of your Mend CLI SAST scan

The Mend CLI has four default steps you will see it complete before it displays its findings from the SAST scan:

Step Name

Description

Checking

The Mend CLI confirms if you are on the latest version.

Updating

If you are not on the latest version, and auto-updates are enabled, the Mend CLI will update to the latest version.

Testing

The Mend CLI tests the application files within the defined directory.

Analysis

An analysis is completed on every language detected from the Mend CLI (or the languages defined in your configuration). If any weaknesses are found, the Mend CLI reaches out to the Mend SAST Application for information on these findings to prepare them for the scan summary.

View your Mend CLI SAST scan results

Visit our View the results of your Mend CLI SAST scan article for more details on how to navigate the SAST findings provided by the Mend CLI.

Reference

Mend CLI SAST features

In this article, we cover the instructions on how to kick off a base Mend CLI SAST scan. We also offer examples of the Mend CLI SAST feature(s) below:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.