Executing the AI Powered Scan

ScanSuite provides support for AI-powered static code analysis using large language models (LLMs) that conform to the OpenAI API specification. This includes both cloud-based services, such as OpenAI (openai.com), and locally hosted LLMs, such as Ollama, LM Studio, and others.

Supported LLM Services

You can use either of the following options for AI-based code scanning:

  • Cloud-based LLMs: Requires an internet connection and a valid API key. Code is transmitted to the cloud service for processing.

  • Locally hosted LLMs: Preferred for sensitive projects. Models run on your own infrastructure, keeping your source code private.

Important Considerations

When using the AI-powered scan feature, please keep the following in mind:

  • Confidentiality: Submitting code to cloud-based services may raise privacy or security concerns. For sensitive or proprietary codebases, it is recommended to use a locally hosted LLM.

  • Performance and Cost: AI-based analysis typically takes longer than traditional scans and may incur API usage fees, particularly when using commercial LLMs. To optimize performance and minimize costs, upload only the essential files related to the core application logic. Avoid submitting configuration files, dependencies, or generated code unless necessary.

  • Variability of Results: Since each analysis is generated dynamically by the LLM, results may vary slightly between runs. For more consistent and reliable results, it is recommended to use larger models (30B parameters or higher) when available.

Configuration

To enable AI-based scanning:

  • If you are using a local LLM, navigate to Settings in ScanSuite and specify the API URL of your local model server.

  • If the API URL is not configured, ScanSuite will default to using OpenAI’s cloud service. In this case, you must provide a valid OpenAI API key. Instructions for setting up the API key can be found in the Administrator Manual.

Viewing the Results

Scan results from the AI-powered scan are not automatically uploaded to Defect Dojo. Instead, ScanSuite generates a standalone HTML report upon completion:

After the scan finishes, click the Report button to download the results. The report file will be named in the following format:

gpt-{project_name}-report.html

Open this file in any web browser to review the findings and insights provided by the LLM.

Previous(Optional) Compiling the codeNextManaging scan execution

Last updated