Run a SAST scan

Run a SAST scan with endorctl to identify security vulnerabilities and code quality issues in your source code.

Ensure that you install endorctl and configure your environment to run Endor Labs scan before you proceed to do a SAST scan.

You can run a SAST scan on a project with endorctl using the following command.

endorctl scan --sast --path=/path/to/code -n <namespace>

To view the findings generated by this scan in Endor Labs, see view SAST findings.

Endor Labs uses AI Agent analysis to perform intelligent triage of SAST findings when you run a scan. The AI agent leverages a large language model (LLM) to examine code context, trace data flows, and evaluate security controls, automatically classifying each finding as either a True Positive, indicating a genuine security vulnerability, or a False Positive. This automated classification eliminates the need for manual review of every alert, allowing you to focus on addressing real security threats.

AI analysis does not process findings from test files such as unit tests and integration tests, or findings with low severity ratings. See AI triage behaviour for more information.

License requirement
AI SAST analysis features require a Code Pro license. A standard Code license covers basic SAST scanning, but AI analysis capabilities require Code Pro.

The AI analysis process uses a large language model (LLM) to systematically evaluate each finding through the following steps:

  1. Identify SAST rule match location - The LLM locates the exact code line where the SAST rule was triggered and examines the matching code patterns.

  2. Trace data flow from source to sink - The LLM follows the data flow from where it enters the application to where it is used in potentially vulnerable code to determine if user-controlled input reaches vulnerable paths.

  3. Examine function calls and security controls - The LLM reviews function calls in the data flow path, including sanitizers, validators, and other security controls that may mitigate risks.

  4. Analyze function context and application usage - The LLM understands the purpose of functions involved in the rule match, how they are used in the application, and the application context such as web application, test file, or code example.

  5. Classify findings as true or false positive - The LLM evaluates all gathered information including whether inputs are user-controlled or hard-coded, presence of sanitization functions, application context, and existing security controls to classify the finding as a true positive or false positive.

AI analysis processes only new findings and existing un-analyzed findings. If some findings are not analyzed in one run, they will be analyzed in the next scan. The analysis process runs for up to 30 minutes by default.

To modify the analysis timeout duration, set the following environment variable:

export ENDOR_SCAN_AI_SAST_ANALYSIS_TIMEOUT=10m

You can run an AI-analyzed SAST scan on a project with endorctl using the following command.

endorctl scan --sast --path=/path/to/code -n <namespace> --ai-sast-analysis=agent-fallback

AI analysis starts with the fast agent mode, but automatically falls back to deep analysis mode when a true positive is detected. This provides a balance between speed and accuracy by using detailed analysis only when needed.

To view the findings generated by this scan in Endor Labs, see AI-analyzed SAST findings.

You can control which findings are analyzed by AI triage and manage re-analysis behavior. When running AI-analyzed SAST scans, use the --ai-sast-rescan option to ensure all findings are analyzed. This option removes all existing AI analyses and re-analyzes all findings from scratch. Without this option, SAST findings that have already undergone AI triage are skipped during subsequent scans.

endorctl scan --sast --path=/path/to/code -n <namespace> --ai-sast-analysis=agent-fallback --ai-sast-rescan

The following types of findings are automatically excluded from AI triage. To include them, set the corresponding environment variable to false:

Finding Type Environment Variable
Test file findings ENDOR_SAST_IGNORE_TEST_TRIAGE
Low severity findings ENDOR_SAST_IGNORE_LOW_SEV_TRIAGE
Low confidence rule findings ENDOR_SAST_IGNORE_LOW_CONF_RULE

You can use AI Analysis Status criteria in finding policies to filter findings by their such as true positives, false positives, or both, in your findings view. Similarly, action policies can trigger actions based on AI classification, such as send notifications only for true positives.

You can run the endorctl scan --sast command with the following options.

Option Description
-n, --namespace Namespace of the project with which you are working. Mandatory.
--include-path Limit the scan to the specified file paths or directories using Glob style expressions. For example, --include-path="src/java/**", scans all the files under src/java, including any subdirectories, while --include-path="src/java/*", only includes the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wildcards.
--exclude-path Specify one or more file paths or directories using Glob style expressions. For example, --include-path="src/java/**", scans all the files under src/java, including any subdirectories, while --include-path="src/java/*", only includes the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wildcards.
--disable-code-snippet-storage Specify the flag to disable storing the code snippet that violates the SAST policy.
--path The path to issue the scan.
--ai-sast-analysis=agent-fallback Enable AI agent to identify and classify false positives in SAST findings. The agent-fallback mode starts with fast analysis and automatically falls back to deep analysis when needed.
--ai-sast-rescan Remove all existing AI analyses and re-analyze all findings from scratch, including those that have already undergone AI triage.