ScanSuite
  • Introduction
  • Architecture
  • Installation
    • Requirements
    • Install ScanSuite server
    • Connect to DefectDojo
    • Troubleshooting
  • Administration
    • Setup parameters and services
    • Setting API keys for external systems
    • User administration
    • Security logs
  • Usage
    • Products
    • Performing a static code analysis
      • Git repository authentication
      • Schedule and incremental checks
      • (Optional) Compiling the code
      • Executing the OpenAI scan
    • Managing scan execution
    • Working with scan results
      • Checking for exploitable vulnerabilities
      • Export to Securitm
      • (Optional) Parsing CSV exports
    • Performing dynamic web scanning
      • Authenticated scans
      • API scans
    • Running infrastructure tests
    • Scheduling the scan
    • Creating own scanning rules
Powered by GitBook
On this page
  1. Usage
  2. Performing a static code analysis

Executing the OpenAI scan

Previous(Optional) Compiling the codeNextManaging scan execution

Last updated 1 month ago

ScanSuite supports code analysis via the LLM / GenAI services using OpenAI API specification.

That includes cloud services, such as openai.com, and locally installed LLMs, for example Ollama, LM Studio etc.

Some considerations to mention:

- The code submitted to OpenAI cloud services may affect the code confidentiality, prefer locally installed LLMs.

- Analysis takes longer than other types of scans. Due to this and cost reasons, it is not recommended to upload all project files, such as configurations and dependency libraries, but only the ones which implement the core application logic.

- Results may vary for each upload as the analysis is done “on the fly” by LLM. Prefer big models (30b +) to get more consistent result.

To set up the ML SAST scan you’d need to specify the API URL via Settings, if local LLM service is used.

If API URL is not specified, ScanSuite will submit the code to openai.com, which requires an API key. Refer to the Admin Manual on how to obtain and set this key.

Results are not uploaded to Defect Dojo for a few reasons. Instead, the html file is formed from the analysis results, which could be downloaded via the Report button after the scan is finished:

Download the report and open the gpt-sast-report HTML file: