Configure the Mend CLI for SAST

Overview

Configuring the Mend CLI for a SAST scan can be done via command line parameters or environment variables,.

Tip: For inline assistance, use the mend code -h or mend code --help commands.

Use cases for scanning your Code with the Mend CLI

Let’s look at the following real-life examples that industry personas commonly run into:

As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect custom code weaknesses in your teams' applications and provide remediation suggestions. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s custom code in the form of dashboards.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on code weaknesses in your teams' applications directly within the pipeline console.

Mend’s Answer: Utilizing the Mend CLI SAST scan, you can effortlessly assess your custom code for security weaknesses and components that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend SAST Application, and can also be exported into reports in various supported file formats.

Configure the Mend CLI SAST scan via command line parameters

You can configure the Mend CLI SAST scan at runtime by adding flags to the mend code command. The usage of the mend sast command is as follows:

CODE

mend code [flags]

Configure the Mend CLI SAST scan via environment variables

You can configure the Mend CLI SAST scan by defining environment variables. To define the variables in your environment, you can:

Set environment variables prior to the Mend CLI run to persist between sessions:
- In MacOS and Linux, use a shell startup script
- In Windows, use the setx command.
  - setx VARIABLE "MYVALUE"
Set environment variables prior to the Mend CLI run, for the current session only:
- In MacOS and Linux, use the export command.
  - export VARIABLE=value
- In Windows, use the set command.
  - set VARIABLE=value

Reference

Mend CLI SAST parameters

The Mend CLI SAST parameters provided below are organized alphabetically within each of their relevant contexts.

Note: Not all configuration types (Command Line, Environment Variable) exist for each parameter. The configuration type(s) will have "N/A" for a parameter if it is not available.

Mend CLI SAST - General scan parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `-d, --dir` Environment Variable: `MEND_SAST_TARGET_DIRECTORY`	Optional. Specify the target directory for the Mend CLI SAST scan.	Current directory (“`.`") will be scanned.
Command Line: `-e, --engines` Environment Variable: `MEND_SAST_ENGINES`	Optional. Specifies which SAST engines should be used by their IDs. Omit this parameter for auto-recognition. For more information on supported langauges and their engine IDs, please visit the Mend CLI SAST-supported languages and engine IDs section within this documentation.	Parameter is omitted, enabling language auto-recognition.
Command Line: `--java-engine-generation` Env Variable: `MEND_SAST_JAVA_ENGINE_GENERATION`	Optional. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are: `1` - Use Java engine generation 1 `2` - Use Java engine generation 2	`1`
Command Line: `--js-engine-generation` (short notation: `--js`) Env Variable: `MEND_SAST_JS_ENGINE_GENERATION`	Optional. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are: `1` - Use JavaScript engine generation 1 `2` - Use JavaScript engine generation 2	`1`
Command Line: `--csharp-engine-generation`(short notation: `--cs`) Env Variable: `MEND_SAST_CSHARP_ENGINE_GENERATION`	Optional. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are: `1` - Use C# engine generation 1 `2` - Use C# engine generation 2	`1`
Command Line: `--python-engine-generation` (short notation: `--py`) Env Variable: `MEND_SAST_PYTHON_ENGINE_GENERATION`	Optional. Specifies which generation of Python detection engine is used to perform the scan. The available parameters are: `1` - Use Python engine generation 1 `2` - Use Python engine generation 2	`1`
Command Line: `-n, --name` Environment Variable: `MEND_SAST_SCAN_NAME`	Optional. Specify the scan name. Auto-generated if omitted.	Parameter is omitted, causing the scan name to be auto-generated.
Command Line: `--num-cpu` Environment Variable: `CPU_NUMBER`	Optional. Specify the number of processor units for multicore processing. On Linux CFS, quota is applied.	`8`
Command Line: `--retries` Environment Variable: `MEND_SAST_SCAN_RETRIES`	Optional. Specify the number of automatic scan retries in case of failures. Retries ignore files where the scan got stuck in the previous attempt.	`0`

Mend CLI SAST - Incremental scan parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `--baseline-storage` Environment Variable: `MEND_SAST_BASELINE_STORAGE`	Optional. Define the directory path of the baseline for future incremental scans. See `--upload-baseline` for more details	Incremental scans are disabled by default.
Command Line: `-i, --inc` Environment Variable: `MEND_SAST_INCREMENTAL_SCAN`	Optional. Enable incremental scanning, which sets the Mend CLI to only check for code changes from the previous scan. This parameter requires an existing baseline (see `--upload-baseline`).	Incremental scans are disabled by default.
Command Line: `--no-baseline` Environment Variable:	Optional. Disable the creation of a baseline dump.	Incremental scans are disabled by default.
Command Line: `--upload-baseline` Environment Variable: `MEND_SAST_UPLOAD_BASELINE`	Optional. Define the scan as a baseline for future incremental scans. The baseline will include minimum relevant fragments of code representation in order to enable incremental scans.	Incremental scans are disabled by default.

Note:

If --inc is used together with --upload-baseline, a full scan is executed when the previous baseline was created with an older version of the engine.

Mend CLI SAST - Log parameters

Tip: The Mend CLI SAST scan logs can be found locally in the .mend/logs/sast directory.

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_CACHE_PATH`	Optional. Define the local path where cached data is stored during a Mend SAST CLI scan.	Cached data is found locally in the `.mend/storage/sast` directory.
Command Line: N/A Environment Variable: `MEND_LOG_LEVEL`	Optional. Define the verbosity of the Mend SAST CLI logs. The available values are: `DEBUG` - Includes additional scan behavior that can help with troubleshooting. `INFO` - Includes basic scan behavior. Note: Currently only available for the new generation of C#, Java, JavaScript and TypeScript	`INFO`
Command Line: `--no-logs` Environment Variable: `MEND_SAST_NO_LOGS`	Optional. Disable the submission of the Mend CLI SAST scan logs to Mend.	Parameter is omitted, causing the scan logs to be uploaded to Mend.
Command Line: N/A Environment Variable: `MEND_SAST_STORAGE_LIMIT`	Optional. Define the amount of disc size in megabytes that is used for storing logs. If this limit is reached, the log files will be deleted automatically, starting with the oldest created date.	`2048 MB`

Mend CLI SAST - Report parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `--filename` Environment Variable: `MEND_SAST_REPORT_FILENAME`	Optional. The SAST report filename. File extensions are automatically appended. See `-r, --report` and `--formats` parameters for report creation.	Report creation is not enabled.
Command Line: `--formats` Environment Variable: `MEND_SAST_REPORT_FORMATS`	Optional. SAST report file formats. This parameter requires enabling report creation (see `-r, --report`). The available parameter values are: `html` `pdf` `xml` `json` `csv` `sarif`	Report creation is not enabled.
Command Line: `-r, --report` Environment Variable: `MEND_SAST_GENERATE_REPORT`	Optional. Enable the creation of reports containing the scan results. See `--formats` parameter for supported file formats.	Report creation is not enabled.
Command Line: N/A Environment Variable: `MEND_SAST_REPORT_LEVEL`	Optional. Specify the granularity level of the generated report file. The available parameter values are: `"short"` - Short technical report that does not include vulnerability data flows. `"summary"` - Summary report with no individual vulnerability details. `"technical"` - Full technical report.	The report is created with the Mend SAST report type set to “`technical`".
Command Line: N/A Environment Variable: `MEND_SAST_REPORT_TYPE`	Optional. Specify the type of the generated compliance report. The available parameter values are: `"CAPEC"` `"Default"` `"HIPAA"` `"HITRUST"` `"NIST"` `"OWASP2021"` `"OWASP2017"` `"PCI"` `"SANS"`	The report is created with the Mend SAST report level set to “`Default`".

Mend CLI SAST - Terminal view parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `-h, --help` Environment Variable: N/A	Optional. Display the available parameters for the `mend code` command.	Use this parameter on-demand to display the available parameters for the `mend code` command.
Command Line: `--non-interactive` Environment Variable: N/A	Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.	Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Mend CLI SAST - Threshold parameters (Policy)

You can set your build to fail by defining the threshold parameters provided below for the Mend CLI SAST scan. If your scan results violate the threshold parameters in place, the Mend CLI will exit with Exit Code 9.

Note:

We recommend avoiding breaking builds unless you have carefully defined your thresholds and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes.
The threshold parameters are only configurable by environment variables.

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_THRESHOLD_CWE`	Optional. Define the specific CWE IDs as a comma-separated list that will trigger Exit Code 9.	Parameter is omitted.
Command Line: N/A Environment Variable: `MEND_SAST_THRESHOLD_HIGH`	Optional. Define the number of high-severity findings that will trigger Exit Code 9.	Parameter is omitted.
Command Line: N/A Environment Variable: `MEND_SAST_THRESHOLD_MEDIUM`	Optional. Define the number of medium-severity findings which trigger Exit Code 9.	Parameter is omitted.
Command Line: N/A Environment Variable: `MEND_SAST_THRESHOLD_LOW`	Optional. Define the number of low-severity findings which trigger Exit Code 9.	Parameter is omitted.
Command Line: N/A Environment Variable: `MEND_SAST_THRESHOLD_ONLY_NEW`	Optional. Define the Mend CLI SAST scan threshold based on new findings that violate any of the `HIGH`, `MEDIUM`, and `LOW` thresholds. The available values are: `FALSE` - `TRUE` - Scan will exit with Exit Code 9 only if it detects new findings that violate any of the defined `HIGH`, `MEDIUM`, and `LOW` thresholds.	Parameter is omitted.

Mend CLI SAST - Scan Performance parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_MAX_FILE_SIZE`	Sets a maximum file size above which a file will be ignored during the scan. Default is 1024 KB	Command Line: N/A Environment Variable: `MEND_SAST_MAX_FILE_SIZE`
Command Line: N/A Environment Variable: `MEND_SAST_PATH_EXCLUSIONS`	Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths Specified path exclusions will be stored in the configuration of the scanned Application, so it is only necessary to specify them once.	Command Line: N/A Environment Variable: `MEND_SAST_PATH_EXCLUSIONS`
Command Line: `--no-default-exclusions` Environment Variable: `MEND_SAST_NO_DEFAULT_EXCLUSIONS`	If specified, default path exclusions predefined by Mend (which ignore e.g. library directories) are not taken into account.	Command Line: `--no-default-exclusions` Environment Variable: `MEND_SAST_NO_DEFAULT_EXCLUSIONS`
Command Line: N/A Environment Variable: `MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS`	Optional. Configure the number of analysis steps of the type analysis for the Gen 2 engines. Default: Unlimited	Command Line: N/A Environment Variable: `MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS`

Mend CLI SAST - Timeout parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_LANGUAGE`	Optional. Define the timeout in minutes per language. If a language violates the defined timeout value, the Mend CLI will skip the language and continue on, resulting in a partial scan.	480 minutes per language
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_FILE`	Optional. Define the timeout in seconds per individual file. If a file violates the defined timeout value, the Mend CLI will skip the file and continue on, resulting in a partial scan.	The default depends on the analyzed programming language.
Command Line: N/A Environment Variable: `MEND_SAST_TIMEOUT_TOTAL`	Optional. Define the number of minutes that running a scan will trigger Exit Code 9. Note: MEND_SAST_THRESHOLD_RUNTIME is still supported to maintain backward compatibility.	480 minutes

Mend CLI SAST - Upload parameters

Parameter	Description	Mend CLI Default Behavior
Command Line: `-s, --scope` Environment Variable: N/A	Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Application. The supported formats are: Full hierarchy: `-s "ORG//APP//PROJ"` Partial hierarchy: `-s "APP//PROJ"` Single hierarchy: `-s "PROJ"` Examples of `--scope` configuration: Application-Project scope with single quotes: CODE `mend code -s 'MyApp//MyProj' -u` Org-Application-Project scope with double quotes: CODE `mend code -s "My Org//My App//My Proj" -u` The wild card character “” can be used for any of the hierarchy levels. The default Mend CLI* behavior will be used for any “”. Product-Project scope using “”: CODE `mend dep -s '//MyProj' -u` “CLI” will be the product* used or created in place of the “”. Org-Product-Project scope using “”: CODE `mend dep -s "//My Prod//" -u` The organization currently logged into from the `mend auth login` command setup will be used for the first “” and for the second “”, the project will be created and named after either: The folder specified in the `--dir` command. If `--dir` is not specified, the name will be the directory where the Mend CLI ran from. Notes: Make sure to set the `--scope` value within either single or double quotes (`'My Project'` or `“My Project"`). You are able to set the Org scope to any Mend organization that the current user signed in as (via `mend auth login`) has access to. If you set an application or project name in `--scope` that does not exist in the organization prior to the run, it will be created in the Mend Application after the Mend CLI completes the scan if you have the necessary permissions/role.	Within the Mend Application, scans are tiered under an organization → application → project hierarchy. If `--scope` is not set, the scan results will be sent and categorized within the Mend Application as follows: The organization currently logged into from the `mend auth login` command setup. Tip: Use the Mend CLI `mend auth info` command to see what organization you are connected to. An application will be created and named “`CLI`". A project will be created and named after either: The folder specified in the `--dir` command. If `--dir` is not specified, the name will be the directory where the Mend CLI ran from.
Command Line: `--snippet-size` Environment Variable: `MEND_SAST_SNIPPET_SIZE`	Optional. Specify the size of source code snippets (lines of code) submitted to the Mend Application. If `--snippet-size` is set to 0, no source code snippets will be uploaded to Mend.	`10`
Command Line: `--label-proj <label>`	Optional. Add a unified platform project label to the scanned project. Set of comma-separated labels is also supported. Note: Label will be assigned only when --update flag is used.	No label applied
Command Line: `--label-app <label>`	Optional. Add a unified platform application label to the scanned application. Set of comma-separated labels is also supported. Note: Label will be assigned only when --update flag is used.	No label applied

Mend CLI SAST-supported languages and engine IDs

The following languages and their associated engine IDs (see -e, --engines parameter) are supported by the Mend CLI for SAST scans:

Engine ID	Language
`1`	Java
`2`	C#
`3`	PHP
`4`	Python
`5`	Ruby
`6`	ASP Classic/Visual Basic/VBScript
`7`	VB Shop
`8`	JavaScript / Node.js
`9`	PLSQL
`10`	Android Java
`11`	iOS Objective-C
`12`	C/C++
`13`	ColdFusion
`14`	Groovy
`15`	TypeScript
`16`	Cobol
`17`	ABAP
`18`	Go
`19`	Swift
`20`	Apex
`21`	Kotlin
`22`	Xamarin (C#)
`23`	Kotlin Mobile
`24`	R
`101`	Java, gen 2
`102`	C#, gen 2
`108`	JavaScript, gen 2 / TypeScript, gen 2

Mend CLI SAST exit codes

Exit Code	Reason
`1`	An invalid configuration parameter was passed when executing the CLI. Check for typos in the parameters.
`2`	Unable to access the update or license details from the Mend server URL. Check for internet connection.
`4`	Unable to detect a supported language within the project based on the file extensions provided.
`7`	Could not create a cache subdirectory in the same location as the Mend CLI. Check that the Mend CLI permissions include “create”.
`9`	Results contain too many vulnerabilities, which contravenes the defined policy.
`10`	A scanning engine stalled or failed.