Configure the Mend CLI for SAST
Overview
Configuring the Mend CLI for a SAST scan can be done via command line parameters or environment variables,.
Tip: For inline assistance, use the mend code -h
or mend code --help
commands.
Use cases for scanning your Code with the Mend CLI
Let’s look at the following real-life examples that industry personas commonly run into:
As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect custom code weaknesses in your teams' applications and provide remediation suggestions. You also want to define your organization’s policies that can be utilized to control your teams' builds. Finally, you want to monitor the security posture of your organization’s custom code in the form of dashboards.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on code weaknesses in your teams' applications directly within the pipeline console.
Mend’s Answer: Utilizing the Mend CLI SAST scan, you can effortlessly assess your custom code for security weaknesses and components that violate your organization’s defined policies. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend SAST Application, and can also be exported into reports in various supported file formats.
Configure the Mend CLI SAST scan via command line parameters
You can configure the Mend CLI SAST scan at runtime by adding flags to the mend code
command. The usage of the mend sast
command is as follows:
mend code [flags]
Configure the Mend CLI SAST scan via environment variables
You can configure the Mend CLI SAST scan by defining environment variables. To define the variables in your environment, you can:
Set environment variables prior to the Mend CLI run to persist between sessions:
In MacOS and Linux, use a shell startup script
In Windows, use the
setx
command.setx VARIABLE "MYVALUE"
Set environment variables prior to the Mend CLI run, for the current session only:
In MacOS and Linux, use the
export
command.export VARIABLE=value
In Windows, use the
set
command.set VARIABLE=value
Reference
Mend CLI SAST parameters
The Mend CLI SAST parameters provided below are organized alphabetically within each of their relevant contexts.
Note: Not all configuration types (Command Line, Environment Variable
) exist for each parameter. The configuration type(s) will have "N/A"
for a parameter if it is not available.
Mend CLI SAST - General scan parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: | Optional. Specify the target directory for the Mend CLI SAST scan. | Current directory (“ |
Command Line: | Optional. Specifies which SAST engines should be used by their IDs. Omit this parameter for auto-recognition. For more information on supported langauges and their engine IDs, please visit the Mend CLI SAST-supported languages and engine IDs section within this documentation. | Parameter is omitted, enabling language auto-recognition. |
Command Line: | Optional. Specifies which generation of Java detection engine is used to perform the scan. The available parameters are:
|
|
Command Line: | Optional. Specifies which generation of JavaScript detection engine is used to perform the scan. The available parameters are:
|
|
Command Line: | Optional. Specifies which generation of C# detection engine is used to perform the scan. The available parameters are:
|
|
Command Line: | Optional. Specifies which generation of Python detection engine is used to perform the scan. The available parameters are:
|
|
Command Line: | Optional. Specify the scan name. Auto-generated if omitted. | Parameter is omitted, causing the scan name to be auto-generated. |
Command Line: | Optional. Specify the number of processor units for multicore processing. On Linux CFS, quota is applied. |
|
Command Line: | Optional. Specify the number of automatic scan retries in case of failures. Retries ignore files where the scan got stuck in the previous attempt. |
|
Command Line: | Optional. Specify the scan configuration template created in the Mend Application. | This parameter is omitted, so the scan uses the Mend predefined configuration for each Langauge (engine ID) identified. |
Mend CLI SAST - Incremental scan parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: | Optional. Define the directory path of the baseline for future incremental scans. See | Incremental scans are disabled by default. |
Command Line: | Optional. Enable incremental scanning, which sets the Mend CLI to only check for code changes from the previous scan. This parameter requires an existing baseline (see | Incremental scans are disabled by default. |
Command Line: | Optional. Disable the creation of a baseline dump. | Incremental scans are disabled by default. |
Command Line: | Optional. Define the scan as a baseline for future incremental scans. The baseline will include minimum relevant fragments of code representation in order to enable incremental scans. | Incremental scans are disabled by default. |
Note:
If --inc is used together with --upload-baseline, a full scan is executed when the previous baseline was created with an older version of the engine.
Mend CLI SAST - Log parameters
Tip: The Mend CLI SAST scan logs can be found locally in the .mend/logs/sast
directory.
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: N/A | Optional. Define the local path where cached data is stored during a Mend SAST CLI scan. | Cached data is found locally in the |
Command Line: N/A | Optional. Define the verbosity of the Mend SAST CLI logs. The available values are:
Note: Currently only available for the new generation of C#, Java, JavaScript and TypeScript |
|
Command Line: | Optional. Disable the submission of the Mend CLI SAST scan logs to Mend. | Parameter is omitted, causing the scan logs to be uploaded to Mend. |
Command Line: N/A | Optional. Define the amount of disc size in megabytes that is used for storing logs. If this limit is reached, the log files will be deleted automatically, starting with the oldest created date. |
|
Mend CLI SAST - Report parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: | Optional. The SAST report filename. File extensions are automatically appended. See | Report creation is not enabled. |
Command Line: | Optional. SAST report file formats. This parameter requires enabling report creation (see
| Report creation is not enabled. |
Command Line: | Optional. Enable the creation of reports containing the scan results. See | Report creation is not enabled. |
Command Line: N/A | Optional. Specify the granularity level of the generated report file. The available parameter values are:
| The report is created with the Mend SAST report type set to “ |
Command Line: N/A | Optional. Specify the type of the generated compliance report. The available parameter values are:
| The report is created with the Mend SAST report level set to “ |
Mend CLI SAST - Terminal view parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: | Optional. Display the available parameters for the | Use this parameter on-demand to display the available parameters for the |
Command Line: | Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT. | Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments. |
Mend CLI SAST - Threshold parameters (Policy)
You can set your build to fail by defining the threshold parameters provided below for the Mend CLI SAST scan. If your scan results violate the threshold parameters in place, the Mend CLI will exit with Exit Code 9.
Note:
We recommend avoiding breaking builds unless you have carefully defined your thresholds and change management processes, as this can cause significant disruptions to existing workflows and create opposition to these changes.
The threshold parameters are only configurable by environment variables.
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: N/A Environment Variable: | Optional. Define the specific CWE IDs as a comma-separated list that will trigger Exit Code 9. | Parameter is omitted. |
Command Line: N/A Environment Variable: | Optional. Define the number of high-severity findings that will trigger Exit Code 9. | Parameter is omitted. |
Command Line: N/A Environment Variable: | Optional. Define the number of medium-severity findings which trigger Exit Code 9. | Parameter is omitted. |
Command Line: N/A Environment Variable: | Optional. Define the number of low-severity findings which trigger Exit Code 9. | Parameter is omitted. |
Command Line: N/A Environment Variable: | Optional. Define the Mend CLI SAST scan threshold based on new findings that violate any of the
| Parameter is omitted. |
Mend CLI SAST - Scan Performance parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: N/A Environment Variable: | Sets a maximum file size above which a file will be ignored during the scan. Default is 1024 KB | Command Line: N/A Environment Variable: |
Command Line: N/A | Specifies a comma separated list of paths that are excluded from the analysis, typically test code or library paths Specified path exclusions will be stored in the configuration of the scanned Application, so it is only necessary to specify them once. | Command Line: N/A |
Command Line: | If specified, default path exclusions predefined by Mend (which ignore e.g. library directories) are not taken into account. | Command Line: |
Command Line: N/A | Optional. Configure the number of analysis steps of the type analysis for the Gen 2 engines. Default: Unlimited | Command Line: N/A |
Mend CLI SAST - Timeout parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
Command Line: N/A | Optional. Define the timeout in minutes per language. If a language violates the defined timeout value, the Mend CLI will skip the language and continue on, resulting in a partial scan. | 480 minutes per language |
Command Line: N/A | Optional. Define the timeout in seconds per individual file. If a file violates the defined timeout value, the Mend CLI will skip the file and continue on, resulting in a partial scan. | The default depends on the analyzed programming language. |
Command Line: N/A | Optional. Define the number of minutes that running a scan will trigger Exit Code 9. Note: MEND_SAST_THRESHOLD_RUNTIME is still supported to maintain backward compatibility. | 480 minutes |
Mend CLI SAST - Upload parameters
Parameter | Description | Mend CLI Default Behavior |
Command Line: | Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Application. The supported formats are:
Examples of
The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.
CODE
“CLI” will be the product used or created in place of the “*”.
CODE
The organization currently logged into from the
Notes:
| Within the Mend Application, scans are tiered under an organization → application → project hierarchy. If
Tip: Use the Mend CLI
|
Command Line: | Optional. Specify the size of source code snippets (lines of code) submitted to the Mend Application. If |
|
Command Line: | Optional. Add a unified platform project label to the scanned project. Set of comma-separated labels is also supported. Note:
| No label applied |
Command Line: | Optional. Add a unified platform application label to the scanned application. Set of comma-separated labels is also supported. Note:
| No label applied |
Mend CLI SAST-supported languages and engine IDs
The following languages and their associated engine IDs (see -e, --engines
parameter) are supported by the Mend CLI for SAST scans:
Engine ID | Language |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Mend CLI SAST exit codes
Exit Code | Reason |
---|---|
| An invalid configuration parameter was passed when executing the CLI. Check for typos in the parameters. |
| Unable to access the update or license details from the Mend server URL. Check for internet connection. |
| Unable to detect a supported language within the project based on the file extensions provided. |
| Could not create a cache subdirectory in the same location as the Mend CLI. Check that the Mend CLI permissions include “create”. |
| Results contain too many vulnerabilities, which contravenes the defined policy. |
| A scanning engine stalled or failed. |