Skip to main content

SAST Configuration Options

The following table shows the configuration options available for the SAST scanner. These configuration options can be applied on the Account > Project > Scan levels. These configurations can be set via the web application (UI), CLI or API, as shown in the table below.

Notice

CLI flags are submitted on the scan level with the scan create command. API configs can be configured on the account or project level using the Configuration API.

Filter Application Logic

  • Filters are applied in the order they appear in the expression.

  • When both include and exclude filters are used, include filters must come first.

Why this order matters

If the include filters come first (correct order) the system starts with an empty selection set, then adds content from the original sources based on the include filters. The exclude filters are then applied to that populated set, successfully removing any unwanted items. The resulting, correctly filtered selection set is what gets sent for scanning.

If the exclude filters are applied first (incorrect order), the system begins with an empty selection set and attempts to remove content - which has no effect. Only afterward does it apply the include filters, adding content from the source set to the selection set. This results in the exclude rules being effectively ignored.

Parameter

Values

Notes

CLI

API

presetName

All the available SAST Presets that exist in the system

  • For the full Presets list (including descriptions) go to the following link:

    Predefined Presets

  • The default preset that is used is ASA Premium

--sast-preset-name boolean

scan.config.sast.presetName

fastScanMode

true / false

By default, the Fast Scan mode is false.

For more information, refer to Fast Scan Mode

--sast-fast-scan boolean

scan.config.sast.fastScanMode

Light Queries

true/false

Determines whether the scan should be performed using light queries or standard queries. Light Queries are simplified versions of standard queries focusing on the most urgent vulnerabilities, helping you spot threats faster.

For more information, refer to Light Queries.

  • When set to true, SAST will scan using light queries, quickly focusing on the most immediate and exploitable weaknesses.

  • When set to false, SAST will not scan using light queries; it will scan using standard queries.

--sast-light-queries

scan.config.sast.lightQueries

incremental

true / false

Determines whether the scan should be performed incrementally or as a full scan.

  • When set to true, SAST will only scan the code changes made since the last scan, significantly reducing the scan time and resource usage.

  • When set to false, SAST will perform a full scan. Full scans are more comprehensive but take longer to complete and use more resources.

--sast-incremental boolean

scan.config.sast.incremental

recommendedExclusions

true / false

Determines whether the system should automatically exclude certain files and folders from the scan.

  • When set to true, SAST applies predefined exclusions, allowing developers to scan faster and focus on the most relevant code areas.

  • When set to false, SAST will include all files and directories in the scan.

--sast-recommended-exclusions

scan.config.sast.recommendedexclusions

languageMode

primary / multi

For more information see:

Specifying a Code Language for Scanning

Supported Code Languages and Frameworks:

Note

By default, the languageMode is Multi.

Not Supported

scan.config.sast.languageMode

folder/filter

Allow users to select specific folders or files to include or exclude from the code scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

--sast-filter <string>

scan.config.sast.filter

engineVerbose

true / false

  • true = Enables PRINT_DEBUG mode.

  • false = Enables PRINT_LOG mode.

Not Supported

scan.config.sast.engineVerbose

compliance

Submit a list of compliances

This parameter is used to filter which compliance standards are included in the scan results. By default, all supported compliances are returned. If you would like to limit the compliances returned, you can set this parameter and specify an array of compliances to include. This filter applies to the results shown in the UI on the Project Overview page as well as to the results returned in the Results Summary API.

Warning

Supported only via API.

Not Supported

scan.config.sast.compliance

Results scope level

Project / Application

When you triage SAST results (change state, severity, comments), by default the adjustment applies only to identical results within that Project. You can adjust this setting to apply changes to all identical results in the entire Application.

Threshold for Incremental Scans (%)

0.5 - 10 (intervals of .5)

When running an incremental scan, if the changes from the previous scan exceed the threshold, a full scan is run. By default the threshold is 7%. Use this configuration to set a custom threshold. For more information, see Adjusting the Incremental Scan Threshold.

Incremental in branch (API)

true / false

When working with branches within Checkmarx GitHub Integration, if you open a pull request to merge into the master branch, you could run a faster incremental scan instead of a longer full scan. This capability is activated by configuring this setting to true. By default, it is false, so that only scans of the main branch are run as incremental. For more information, see Incremental Scans of Branches.

In this section: