Skip to main content
Skip table of contents

Configure the Mend CLI for SAST

Overview

Configuring the Mend CLI for a SAST scan can be done via command line parameters or environment variables,.

Tip: For inline assistance, use the mend code -h or mend code --help commands.

Use cases for scanning your Code with the Mend CLI

Let’s look at the following real-life examples that industry personas commonly run into:

  • As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect custom code weaknesses in your teams' applications and provide remediation suggestions. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s custom code in the form of dashboards.

  • As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on code weaknesses in your teams' applications directly within the pipeline console.

Mend’s Answer: Utilizing the Mend CLI SAST scan, you can effortlessly assess your custom code for security weaknesses and components that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend SAST Application, and can also be exported into reports in various supported file formats.

Configure the Mend CLI SAST scan via command line parameters

You can configure the Mend CLI SAST scan at runtime by adding flags to the mend code command. The usage of the mend sast command is as follows:

CODE
mend code [flags]
eb470fbc-d638-44f8-ab14-4330117779d3.gif

Configure the Mend CLI SAST scan via environment variables

You can configure the Mend CLI SAST scan by defining environment variables. To define the variables in your environment, you can:

  • Set environment variables prior to the Mend CLI run to persist between sessions:

    • In MacOS and Linux, use a shell startup script

    • In Windows, use the setx command.

      • setx VARIABLE "MYVALUE"

  • Set environment variables prior to the Mend CLI run, for the current session only:

    • In MacOS and Linux, use the export command.

      • export VARIABLE=value

    • In Windows, use the set command.

      • set VARIABLE=value

Reference

Mend CLI SAST parameters

The Mend CLI SAST parameters provided below are organized alphabetically within each of their relevant contexts.

Note: Not all configuration types (Command Line, Environment Variable) exist for each parameter. The configuration type(s) will have "N/A" for a parameter if it is not available.

Mend CLI SAST - General scan parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: -d, --dir
Environment Variable: MEND_SAST_TARGET_DIRECTORY

Optional. Specify the target directory for the Mend CLI SAST scan.

Current directory (“.") will be scanned.

Command Line: -e, --engines
Environment Variable: MEND_SAST_ENGINES

Optional. Specifies which SAST engines should be used by their IDs. Omit this parameter for auto-recognition.

For more information on supported langauges and their engine IDs, please visit the Mend CLI SAST-supported languages and engine IDs section within this documentation.

Parameter is omitted, enabling language auto-recognition.

Command Line: --java-engine-generation
Env Variable: MEND_SAST_JAVA_ENGINE_GENERATION

Optional. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are:

  • 1 - Use Java engine generation 1

  • 2 - Use Java engine generation 2

1

Command Line: --js-engine-generation (short notation: --js)
Env Variable: MEND_SAST_JS_ENGINE_GENERATION

Optional. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are:

  • 1 - Use JavaScript engine generation 1

  • 2 - Use JavaScript engine generation 2

1

Command Line: --csharp-engine-generation(short notation: --cs)
Env Variable: MEND_SAST_CSHARP_ENGINE_GENERATION

Optional. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are:

  • 1 - Use C# engine generation 1

  • 2 - Use C# engine generation 2

1

Command Line: --python-engine-generation (short notation: --py)
Env Variable: MEND_SAST_PYTHON_ENGINE_GENERATION

Optional. Specifies which generation of Python detection engine is used to perform the scan. The available parameters are:

  • 1 - Use Python engine generation 1

  • 2 - Use Python engine generation 2

1

Command Line: -n, --name
Environment Variable: MEND_SAST_SCAN_NAME

Optional. Specify the scan name. Auto-generated if omitted.

Parameter is omitted, causing the scan name to be auto-generated.

Command Line: --num-cpu
Environment Variable: CPU_NUMBER

Optional. Specify the number of processor units for multicore processing. On Linux CFS, quota is applied.

8

Command Line: --retries
Environment Variable: MEND_SAST_SCAN_RETRIES

Optional. Specify the number of automatic scan retries in case of failures. Retries ignore files where the scan got stuck in the previous attempt.

0

Command Line: -t, --template
Environment Variable: MEND_SAST_TEMPLATE

Optional. Specify the scan configuration template created in the Mend Application.

This parameter is omitted, so the scan uses the Mend predefined configuration for each Langauge (engine ID) identified.

Mend CLI SAST - Incremental scan parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --baseline-storage
Environment Variable: MEND_SAST_BASELINE_STORAGE

Optional. Define the directory path of the baseline for future incremental scans. See --upload-baseline for more details

Incremental scans are disabled by default.

Command Line: -i, --inc
Environment Variable: MEND_SAST_INCREMENTAL_SCAN

Optional. Enable incremental scanning, which sets the Mend CLI to only check for code changes from the previous scan. This parameter requires an existing baseline (see --upload-baseline).

Incremental scans are disabled by default.

Command Line: --no-baseline
Environment Variable:

Optional. Disable the creation of a baseline dump.

Incremental scans are disabled by default.

Command Line: --upload-baseline
Environment Variable: MEND_SAST_UPLOAD_BASELINE

Optional. Define the scan as a baseline for future incremental scans. The baseline will include minimum relevant fragments of code representation in order to enable incremental scans.

Incremental scans are disabled by default.

Note:

  • If --inc is used together with --upload-baseline, a full scan is executed when the previous baseline was created with an older version of the engine.

Mend CLI SAST - Log parameters

Tip: The Mend CLI SAST scan logs can be found locally in the .mend/logs/sast directory.

Parameter

Description

Mend CLI Default Behavior

Command Line: N/A
Environment Variable: MEND_SAST_CACHE_PATH

Optional. Define the local path where cached data is stored during a Mend SAST CLI scan.

Cached data is found locally in the .mend/storage/sast directory.

Command Line: N/A
Environment Variable: MEND_LOG_LEVEL

Optional. Define the verbosity of the Mend SAST CLI logs. The available values are:

  • DEBUG - Includes additional scan behavior that can help with troubleshooting.

  • INFO - Includes basic scan behavior.

Note: Currently only available for the new generation of C#, Java, JavaScript and TypeScript

INFO

Command Line: --no-logs
Environment Variable: MEND_SAST_NO_LOGS

Optional. Disable the submission of the Mend CLI SAST scan logs to Mend.

Parameter is omitted, causing the scan logs to be uploaded to Mend.

Command Line: N/A
Environment Variable: MEND_SAST_STORAGE_LIMIT

Optional. Define the amount of disc size in megabytes that is used for storing logs. If this limit is reached, the log files will be deleted automatically, starting with the oldest created date.

2048 MB

Mend CLI SAST - Report parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: --filename
Environment Variable: MEND_SAST_REPORT_FILENAME

Optional. The SAST report filename. File extensions are automatically appended. See -r, --report and --formats parameters for report creation.

Report creation is not enabled.

Command Line: --formats
Environment Variable: MEND_SAST_REPORT_FORMATS

Optional. SAST report file formats. This parameter requires enabling report creation (see -r, --report).
The available parameter values are:

  • html

  • pdf

  • xml

  • json

  • csv

  • sarif

Report creation is not enabled.

Command Line: -r, --report
Environment Variable: MEND_SAST_GENERATE_REPORT

Optional. Enable the creation of reports containing the scan results. See --formats parameter for supported file formats.

Report creation is not enabled.

Command Line: N/A
Environment Variable: MEND_SAST_REPORT_LEVEL

Optional. Specify the granularity level of the generated report file. The available parameter values are:

  • "short" - Short technical report that does not include vulnerability data flows.

  • "summary" - Summary report with no individual vulnerability details.

  • "technical" - Full technical report.

The report is created with the Mend SAST report type set to “technical".

Command Line: N/A
Environment Variable: MEND_SAST_REPORT_TYPE

Optional. Specify the type of the generated compliance report. The available parameter values are:

  • "CAPEC"

  • "Default"

  • "HIPAA"

  • "HITRUST"

  • "NIST"

  • "OWASP2021"

  • "OWASP2017"

  • "PCI"

  • "SANS"

The report is created with the Mend SAST report level set to “Default".

Mend CLI SAST - Terminal view parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: -h, --help
Environment Variable: N/A

Optional. Display the available parameters for the mend code command.

Use this parameter on-demand to display the available parameters for the mend code command.

Command Line: --non-interactive
Environment Variable: N/A

Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.

Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Mend CLI SAST - Threshold parameters (Policy)

You can set your build to fail by defining the threshold parameters provided below for the Mend CLI SAST scan. If your scan results violate the threshold parameters in place, the Mend CLI will exit with Exit Code 9.

Note:

  • We recommend avoiding breaking builds unless you have carefully defined your thresholds and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes.

  • The threshold parameters are only configurable by environment variables.

Parameter

Description

Mend CLI Default Behavior

Command Line: N/A

Environment Variable: MEND_SAST_THRESHOLD_CWE

Optional. Define the specific CWE IDs as a comma-separated list that will trigger Exit Code 9.

Parameter is omitted.

Command Line: N/A

Environment Variable: MEND_SAST_THRESHOLD_HIGH

Optional. Define the number of high-severity findings that will trigger Exit Code 9.

Parameter is omitted.

Command Line: N/A

Environment Variable: MEND_SAST_THRESHOLD_MEDIUM

Optional. Define the number of medium-severity findings which trigger Exit Code 9.

Parameter is omitted.

Command Line: N/A

Environment Variable: MEND_SAST_THRESHOLD_LOW

Optional. Define the number of low-severity findings which trigger Exit Code 9.

Parameter is omitted.

Command Line: N/A

Environment Variable: MEND_SAST_THRESHOLD_ONLY_NEW

Optional. Define the Mend CLI SAST scan threshold based on new findings that violate any of the HIGH, MEDIUM, and LOW thresholds. The available values are:

  • FALSE -

  • TRUE - Scan will exit with Exit Code 9 only if it detects new findings that violate any of the defined HIGH, MEDIUM, and LOW thresholds.

Parameter is omitted.

Mend CLI SAST - Scan Performance parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: N/A

Environment Variable: MEND_SAST_MAX_FILE_SIZE

Sets a maximum file size above which a file will be ignored during the scan. Default is 1024 KB

Command Line: N/A

Environment Variable: MEND_SAST_MAX_FILE_SIZE

Command Line: N/A
Environment Variable: MEND_SAST_PATH_EXCLUSIONS

Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths

Specified path exclusions will be stored in the configuration of the scanned Application, so it is only necessary to specify them once.

Command Line: N/A
Environment Variable: MEND_SAST_PATH_EXCLUSIONS

Command Line: --no-default-exclusions
Environment Variable: MEND_SAST_NO_DEFAULT_EXCLUSIONS

If specified, default path exclusions predefined by Mend (which ignore e.g. library directories) are not taken into account.

Command Line: --no-default-exclusions
Environment Variable: MEND_SAST_NO_DEFAULT_EXCLUSIONS

Command Line: N/A
Environment Variable: MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS

Optional. Configure the number of analysis steps of the type analysis for the Gen 2 engines. Default: Unlimited

Command Line: N/A
Environment Variable: MEND_SAST_CONFIG_MAX_TYPE_ANALYSIS_STEPS

Mend CLI SAST - Timeout parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: N/A
Environment Variable: MEND_SAST_TIMEOUT_LANGUAGE

Optional. Define the timeout in minutes per language. If a language violates the defined timeout value, the Mend CLI will skip the language and continue on, resulting in a partial scan.

480 minutes per language

Command Line: N/A
Environment Variable: MEND_SAST_TIMEOUT_FILE

Optional. Define the timeout in seconds per individual file. If a file violates the defined timeout value, the Mend CLI will skip the file and continue on, resulting in a partial scan.

The default depends on the analyzed programming language.

Command Line: N/A
Environment Variable: MEND_SAST_TIMEOUT_TOTAL

Optional. Define the number of minutes that running a scan will trigger Exit Code 9.

Note: MEND_SAST_THRESHOLD_RUNTIME is still supported to maintain backward compatibility.

480 minutes

Mend CLI SAST - Upload parameters

Parameter

Description

Mend CLI Default Behavior

Command Line: -s, --scope
Environment Variable: N/A

Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Application.

The supported formats are:

  • Full hierarchy: -s "ORG//APP//PROJ"

  • Partial hierarchy: -s "APP//PROJ"

  • Single hierarchy: -s "PROJ"

Examples of --scope configuration:

  • Application-Project scope with single quotes:

    CODE
    mend code -s 'MyApp//MyProj' -u
  • Org-Application-Project scope with double quotes:

    CODE
    mend code -s "My Org//My App//My Proj" -u

The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.

  • Product-Project scope using “*”:

CODE
mend dep -s '*//MyProj' -u

“CLI” will be the product used or created in place of the “*”.

  • Org-Product-Project scope using “*”:

CODE
mend dep -s "*//My Prod//*" -u

The organization currently logged into from the mend auth login command setup will be used for the first “*” and for the second “*”, the project will be created and named after either:

  • The folder specified in the --dir command.

  • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

Notes:

  • Make sure to set the --scope value within either single or double quotes ('My Project' or “My Project").

  • You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.

  • If you set an application or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Application after the Mend CLI completes the scan if you have the necessary permissions/role.

Within the Mend Application, scans are tiered under an organization → application → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Application as follows:

  • The organization currently logged into from the mend auth login command setup.

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

  • An application will be created and named “CLI".

  • A project will be created and named after either:

    • The folder specified in the --dir command.

    • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

Command Line: --snippet-size
Environment Variable: MEND_SAST_SNIPPET_SIZE

Optional. Specify the size of source code snippets (lines of code) submitted to the Mend Application. If --snippet-size is set to 0, no source code snippets will be uploaded to Mend.

10

Command Line: --label-proj <label>

Optional. Add a unified platform project label to the scanned project. Set of comma-separated labels is also supported.

Note:

  • Label will be assigned only when --update flag is used.

No label applied

Command Line: --label-app <label>

Optional. Add a unified platform application label to the scanned application. Set of comma-separated labels is also supported.

Note:

  • Label will be assigned only when --update flag is used.

No label applied

Mend CLI SAST-supported languages and engine IDs

The following languages and their associated engine IDs (see -e, --engines parameter) are supported by the Mend CLI for SAST scans:

Mend CLI SAST exit codes

Exit Code

Reason

1

An invalid configuration parameter was passed when executing the CLI. Check for typos in the parameters.

2

Unable to access the update or license details from the Mend server URL. Check for internet connection.

4

Unable to detect a supported language within the project based on the file extensions provided.

7

Could not create a cache subdirectory in the same location as the Mend CLI. Check that the Mend CLI permissions include “create”.

9

Results contain too many vulnerabilities, which contravenes the defined policy.

10

A scanning engine stalled or failed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.