Skip to main content
Skip table of contents

Code Scan Customization Candidates

Overview

Scan Rule Customization is a project-specific mechanism that allows you to increase the accuracy of your Code scans. Scan Customization Candidates serve as a complementary feature, whereby potential candidates for enhancing the rules are picked up during the scan and presented to the Mend.io Professional Services engineer via the Rule Customization UI, where they can be accepted or rejected.

Use-case

An organization uses a framework that Mend.io does not support out of the box. During the regular SAST scan, the code will be analyzed for any potential entry points/sources/sinks/sanitizers. These candidates will be presented to the Mend.io Professional Services engineer in the customization view and can be accepted to proactively increase the accuracy of the Code findings.

Limitations

  • Scan Customization Candidates cannot be edited, they can only be approved or rejected.

Getting it done

Note: Rule Customization can only be performed by Mend.io Professional Services engineers.

Please reach out to your Customer Success Manager at Mend.io to request this service.

AI Usage Toggle

Note: The Code Scan Customization toggle must be enabled for the Customization Candidates feature to be available.

Enable or disable AI-based Rule Customization for your Code scans using the Code Scan Customization toggle under the AI Usage section of your organization’s General Configuration.

If enabled, data about invocations of external libraries and method declarations in your source code is collected during the scan and will be shared with Mend.io’s AI model to improve the accuracy of your Code scans by suggesting candidates for further customization of the Code scan rules. Disable this option to prevent any information about your code from being shared with the model and turn off the candidate suggestions entirely.

  1. Navigate to the Administration page using the cogwheel drop-down menu:

image-20250324-125949.png

  1. Under General Configuration, use the Code Scan Customization toggle to enable or disable the feature.

    image-20250326-111645.png

Note: Toggling these on means you consent to the use of AI for Code Findings Remediation and Code Scan Customization, respectively.

Supported Languages

Mend AI-based Code remediation supports the following languages and CWEs (Common Weakness Enumeration):

Language

CWE

C#

  • CWE-22 - Path Traversal

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89 - SQL Injection

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-117 - Log Injection

  • CWE-502: Deserialization of Untrusted Data

  • CWE-601 - Open Redirect

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-918 Server-Side Request Forgery (SSRF)

Java

JavaScript

Python

TypeScript

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close