Performing a static code analysis

Static code analysis includes invocation of SASTs, Secrets scans, Dependency checks and Infrastructure as Code scanners.

It supports both single and scheduled scans. It is also possible to set up a repository monitoring, which will periodically check for any updates in the target repo and perform an incremental scan of these changes.

First, create a new product, as described on the previous page.

Source code can be provided either via archived folder or by specifying a Git repository path. Check the next page if authentication is required to access the repo.

ZIP file should contain one or many folders with the source code:

Both HTTPS and SSH formats are accepted for Git paths making it easy to assess vulnerabilities straight from the repo.

Go to the Static Analysis tab and upload the ZIP archive or specify the path to the repo. Choose the main language and multi-language scanners you want to be invoked.

Language specific scanners will also be kicked in, based on the specified “Main language” field. The next scanners are currently mapped to the Main language values:

• python - Bandit

• java - FindSecBugs

• csharp - SecurityCodeScan

• cpp - FlawFinder

• php - PHP_CodeSniffer

• javascript - NodeJS Scan

• ruby - Brakeman

• go - GoSec

• kotlin - MobSF

• swift - MobSF

Double check the Engagement ID, should be the same as created with product, and hit “Submit”:

Important: CodeQL has a licensing limitation for usage, please check and accept their Terms & Conditions before enabling the scanner.