SAST scan with Endor Labs
Static Application Security Testing (SAST) is an automated security analysis methodology that examines application source code, bytecode, or binary files to identify potential security vulnerabilities without program execution.
SAST has the following characteristics:
- White-box Testing: Provides full visibility into application internals
- Non-runtime Analysis: Performs scans without code execution
- Early Detection: Identifies vulnerabilities during development phases
- Language Support: Analyzes multiple programming languages and frameworks
Endor Labs integrates Semgrep Community Edition to provide SAST scan with endorctl.
Semgrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Semgrep parses the source code, applies pattern matching based on rules, and reports matches based on the rule specifications. Semgrep rules are in yaml format. Endor Labs ships several predefined rules. You can use the rule editor to create your own rules.
Endor Labs includes a set of curated rules. You can create your own rules or import rules with the rule designer.
You need to create a finding policy so that SAST scan generates findings based on rules or certain criteria.
When you scan with the SAST option enabled, Endor Labs uses Semgrep to scan for weaknesses in your source code based on the enabled rules and generates results based on the configured finding policies.
Tip
Endor Labs does not scan the files included in the.gitignore files during SAST scan. You can also use the nosemgrep annotation in the code to skip SAST scan. Refer to the Semgrep Documentation for more information.
SAST scan results are available in the Findings page. See View SAST Findings for more information.
You can create exception policies to exclude results from the findings page. See Create exception policy for more information.
SAST scan with endorctl
Ensure that you complete the following prerequisites before you proceed to do a SAST scan using endorctl.
Warning
SAST scan is currently supported on macOS and Linux. SAST scans are not supported on Windows.Install endorctl
Install endorctl and configure your environment to run Endor Labs scan.
Download Semgrep
You need to download and install Semgrep Community Edition on your machine before you run a SAST scan.
Though Semgrep supports installation with Brew on macOS, it does not support installation of a specific version.
To install Semgrep you need to have a Python environment set up on your machine with pip.
We recommend that you install Semgrep version 1.99.0.
pip install semgrep==1.99.0
Run SAST scan with endorctl
You can run a SAST scan with endorctl with the following command.
endorctl scan --sast -n <project namespace>
See Run a SAST scan for more information on the command options.
SAST scan in monitoring scans
You can enable SAST scans when you configure monitoring or supervisory scans using the Endor Labs GitHub App, Azure DevOps App, and GitLab App. See Monitoring scans for more information. To disable the storage of code snippet in SAST scans for monitoring scans, you need to create a scan profile for your monitoring scan with disable code snippet storage as enabled. Note that the setting applies to all scans that you use this scan profile and not just the monitoring scans.
SAST scan in Endor Labs GitHub Action
You can also enable SAST scan in the Endor Labs GitHub Action. Set the scanning parameter, scan_sast as true. To disable code snippet storage for SAST scans, set disable_code_snippet_storage as true. See Scan with GitHub Actions for more information.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.