Customize your Code Scan Configuration
Overview
Effective security management in large enterprises requires a streamlined and scalable approach to configuring code scans. To achieve consistent and comparable risk data across all projects, Mend allows two ways of configuration for Code Scans (SAST).
Global Configuration for Code Scans
The global configuration feature allows AppSec Managers to centrally manage scan configurations for all projects within an organization. This approach ensures uniformity and consistency, making it easier to maintain security standards across different projects. Key capabilities include:
Centralized Management: A dedicated section within the administration interface to add, edit, or delete scan configurations.
General Configuration: A lightweight, language-independent configuration page listing all Common Weakness Enumerations (CWEs) supported by Mend, allowing for quick selection of desired CWEs.
Language-Specific Configuration: Fine-tune settings per programming language or add custom sources, sinks, and sanitizers.
Default Path Exclusions: Manage path exclusions to streamline scans and reduce noise.
Predefined Mend Configurations: Utilize predefined configurations tailored for various compliance standards (e.g., PCI, OWASP Top 10) or specific application types (e.g., web apps, CLI).
The global configuration simplifies onboarding for less mature organizations by providing best practice templates, such as configurations for only high-severity CWEs. This ensures that AppSec Managers can start small and scale their security measures as needed.
Project-Level Configuration for Code Scans
While the global configuration provides a centralized approach, project-level configurations allow for detailed customization at the individual project level. This flexibility is crucial for tailoring scans to the specific needs of each project. However, with the introduction of global configurations, project-level configurations are streamlined to ensure consistency and ease of management.