Skip to main content

SAST Scanner

Overview

Checkmarx's Static Application Security Testing (SAST) scanner examines your application's source code, bytecode, or binaries without executing them. It looks for common security weaknesses by analyzing the code's structure and how data flows through the application. The goal is to catch vulnerabilities early in the software development lifecycle, allowing developers to address security concerns before the application is run in production.

SAST builds a logical graph of the code's elements and flows without needing to build or compile a software project's source code. SAST then queries this internal code graph. SAST includes an extensive list of hundreds of pre-configured queries for known security vulnerabilities for each programming language. Using the Query Editor, you can configure your own additional queries for security, QA, and business logic purposes.

The input to SAST's scanning and analysis is the source code, not binaries, so no building or compiling is required, and no libraries need to be available. The code doesn't even need to be able to compile and link properly. Consequently, SAST can run scans and generate security reports at any given point in a software project's development life cycle.

Key Features

Fast Scan Configuration

Fast Scan configuration aims to find the perfect balance between thorough security tests and the need for quick and actionable results. There’s no need to choose between speed and security. Alongside the Base Preset, we are thrilled to announce a new scan mode designed to speed up the scan: Fast Scan mode.

Fast Scan mode decreases the scanning time of projects up to 90%, making it faster to identify relevant vulnerabilities and enable continuous deployment while ensuring that security standards are followed. This will help developers tackle the most relevant vulnerabilities.

While the Fast Scan configuration identifies the most significant and relevant vulnerabilities, the In-Depth scan mode offers deeper coverage. For the most critical projects with a zero-vulnerability policy, it is advised also to use our In-Depth scan mode

Warning

To expedite the results retrieval, the scanning process has been optimized to reduce the number of stages and flows involved in the scan. With this enhancement, the queries related to Fusion are not executed and results won’t be generated when utilizing this new mode.

You may also notice impact on the API Security scanner results.

Incremental Scans

Definition

Notice

Incremental scans are relevant only for the SAST scanner.

An incremental scan is a mechanism to scan a small portion of code to deliver fast results. This mechanism scans only the code that was changed from the last full scan and any code close to it (called "closure").

If an incremental scan is run, but more than 7% of the project's files have changed since the last full scan, a full scan is run instead.

Notice

With every incremental scan, the changes from the last full scan are accumulated.

How does it work?

The results of every incremental scan are merged with its base full scan to provide a complete result set for the whole code. To understand the merge, we need to understand the different types of results. In the diagram below, only the "Changed files" and the "Closure files" are scanned by the incremental scan.

Each black line represents one result, flowing through several nodes:

6405128331.png

  • A – All of the result nodes are inside the changed files. New results like this returned from an incremental scan are "good results" that the total scan is expected to find.

  • B – All of the result nodes are inside the closure files. New results like this returned from an incremental scan are "bad results" because these files weren't changed, so there cannot be a new result here. These result types are removed because they are filtered in the incremental scan, and the remaining results are those in at least one of their nodes inside the changed files (A, D).

  • C – All of the result nodes are outside the closure files. The incremental scan cannot find these because these files are not scanned. The last full scan results are merged with the incremental scan results and shown as "recurrent.”

  • D – The result nodes are inside both the changed and closure files. New results returned from an incremental scan are "good results" that the incremental scan is expected to find.

  • E – The result nodes are both inside and outside the closure files. The incremental scan cannot find this kind of result because some result files are not scanned. The last full scan results are merged with the incremental scan results and shown as "recurrent.”

  • F - The result nodes are inside the changed files, the closure files, and the closure files. The incremental scan cannot find this kind of result because some result files are not scanned. The last full scan results are merged with the incremental scan results and shown as "recurrent.”

Running Incremental Scans

There are several ways to run an incremental scan. The following are some of the possible methods.

  • Project Settings - Go to Project Settings > Rules and create a Rule for the SAST scanner to run incremental scans. You can set whether or not this setting can be overridden when running an individual scan.

  • Running a scan - When manually initiating a scan of a Project, you can select the Checkbox for Incremental scan.

  • CLI - When running the scan create command from the CLI, you can add the flag --sast-incremental to run an incremental scan.

  • API - When running POST /scans, set the config value for sast scans as "incremental":"true".

  • IDE - When a scan is initiated from the IDE (as described here) it automatically runs as an incremental scan.

Limitations

  • Incremental scans are only relevant for the SAST scanner. All other scanners always run full scans.

  • An incremental scan can only run after an initial full scan of the Project has been run.

  • If more than 7% of the Project's files have been changed since the last full scan, then even if incremental scan is specified it will run as a full scan.

Query Editor

Checkmarx Query Editor complements the SAST scanner by enabling you to easily customize SAST’s analysis queries or configure additional queries for security, quality assurance, and application logic purposes.

Query Editor can adapt SAST’s basic security functionality to non-standard code. It includes intuitive tools for adding code elements to various parts of queries and for locating relevant parts of existing queries and combining them to create your own. This helps eliminate false positives and ensure that all real vulnerabilities are identified. Use it to expand on SAST’s functionality and include queries supporting your specific QA or application logic needs.

Caution

There is a hard limit of 5 sessions of Query Editor that may run at a time and an idle session timeout of 60 minutes.

Note

Common queries cannot be edited in the Query Browser.

For more information about Query Editor, see SAST Query Editor.

Presets

Presets are sets of queries that a user can select in order to be more accurate in the SAST scans results. By using presets, the user triages against the main capabilities that the SAST scanner provides.

Preset management is a new way to control standard/predefined presets. It provides an ability for users to easily create their own presets according to their needs.

Presets are mandatory for the SAST scanner. In case that no preset is selected for a SAST scan, the default preset that will be used for the scan is ASA Premium.

For more information about Presets, see Presets Management.

In this section: