Existing SCA customer - How do I enable SAST?

Mend for GitHub.com/Mend for GitHub Enterprise

SAST needs to be enabled by setting "enableScan": true under "scanSettingsSAST" in your .whitesource or repo.config files. Additionally, SAST has separate checkRunSettings and issueSettings that can configured: checkRunSettingsSAST and issueSettingsSAST. Below is the default configuration provided for newly onboarded repositories.

All SAST configuration options for Mend for Github.com and their explanation can be found in our product documentation:

Configure Mend for GitHub.com for SAST

Configure Mend for GitHub Enterprise for SAST

{
  "scanSettings": {
    "configMode": "AUTO",
    "configExternalURL": "",
    "projectToken": "",
    "baseBranches": []
  },
  "scanSettingsSAST": {
    "enableScan": true,
    "scanPullRequests": true,
    "incrementalScan": true,
    "baseBranches": [],
    "snippetSize": 10
  },
  "checkRunSettings": {
    "vulnerableCheckRunConclusionLevel": "failure",
    "displayMode": "diff",
    "useMendCheckNames": true
  },
  "checkRunSettingsSAST": {
    "checkRunConclusionLevel": "failure",
    "severityThreshold": "high"
  },
  "issueSettings": {
    "minSeverityLevel": "LOW",
    "issueType": "DEPENDENCY"
  },
  "issueSettingsSAST": {
    "minSeverityLevel": "high",
    "issueType": "repo"
  },
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
    }
  }

Self-Managed GitHub Enterprise Only

It is recommended to increase the number of scanners available for Mend scans prior to enabling SAST. SAST scans still follow the same principle of 1 scan per scanner and will share the scanner pool with SCA scans.

Dedicated scanners that are only used for SAST scans can be deployed by setting the environment variable WS_SAST_SCAN_PREFIX = SAST_ in the controller and scanner docker containers. Additionally, images for SAST scanner containers that only have what is required to run SAST scans are provided with the latest versions of Mend for GitHub Enterprise.

Mend Developer Platform

SAST can be enabled from the Code Security tab of either the global or individual repository configurations in the Developer Platform UI. Complete information on all of the settings can be found in Configure Mend Developer Platform for SAST.

Azure DevOps/Bitbucket Data Center/Gitlab

SAST scanning is currently not built into these repository integrations. In order to start scanning for SAST vulnerabilities, the Mend CLI must be used inside a CI/CD pipeline. To get started integrating the CLI into your CI/CD pipeline please see Scanning your applications in the pipeline. This document describes the required steps and best practices for scanning with the Mend CLI in a pipeline. The SCA section can be skipped as that is covered by the repository integrations.

Pipeline Scanning

Mend CLI

If you are already scanning SCA with the Mend CLI, a SAST scan can be added by simply calling mend code inside your CI/CD pipeline that is scanning SCA. All CLI configurations for SAST can be found in Configure the Mend CLI for SAST.

Unified Agent

The Unified Agent does not support SAST scanning so the Mend CLI must be used. To get started integrating the Mend CLI into your CI/CD pipeline please see Scanning your applications in the pipeline. This document describes the required steps and best practices for scanning with the Mend CLI in a pipeline. It is worth considering swapping over the Mend CLI for SCA scans as well at this time to simply your pipeline if your are scanning a supported language for the CLI.

Pipeline Examples

Example pipelines for scanning with Mend can be found in the Mend Toolkit/Mend-Examples repository. These examples are meant to be guides for implementing Mend in your own CI/CD pipeline. It is not recommended to use them exactly out of the box.