Static Code Analysis

Static code analysis includes the use of various security and quality tools, such as:

  • SAST (Static Application Security Testing) tools

  • Secrets scanning

  • Dependency checks (SCA)

  • Infrastructure as Code (IACS) scanners

Scan Types Supported

The system supports both on-demand (single) and scheduled scans. Additionally, you can configure repository monitoring to periodically check for updates in a target repository and automatically perform incremental scans on any new changes.

Step-by-Step Instructions

1. Create a Product

Before initiating a scan, create a new product as described on the previous page of the documentation.

2. Provide Source Code

You can supply the source code in one of the following ways:

  • ZIP Archive: Upload a compressed folder containing one or more source code directories.

  • Git Repository Path: Specify the repository URL (both HTTPS and SSH formats are supported).

📌 If the repository requires authentication, refer to the next page for setup instructions.

3. Configure the Static Analysis

Navigate to the Static Analysis tab and:

  • Upload the ZIP archive or enter the Git repository path.

  • Select the main programming language of the project.

  • Choose any additional multi-language scanners and additional features, such as Code Documentation generation with AI.

  • Select which scan results should be exported to Defect Dojo

  • Enable AI features for scans:

    • LLM based SAST

    • Secrets verification

    • Dependency scan results enrichment

ℹ️ Language-specific scanners will automatically be triggered based on the selected Main Language.

4. Submit the Scan

  • Confirm that the Product / Engagement ID matches the one created during product setup.

  • Click “Submit” to start the scan.

PreviousProductsNextGit repository authentication

Last updated