SAST Configuration Options
The following table shows the configuration options available for the SAST scanner. These configuration options can be applied on the Account > Project > Scan levels. These configurations can be set via the web application (UI), CLI or API, as shown in the table below.
Notice
CLI flags are submitted on the scan level with the scan create command. API configs can be configured on the account or project level using the Configuration API.
Filter Application Logic
Filters are applied in the order they appear in the expression.
When both include and exclude filters are used, include filters must come first.
Why this order matters
If the include filters come first (correct order) the system starts with an empty selection set, then adds content from the original sources based on the include filters. The exclude filters are then applied to that populated set, successfully removing any unwanted items. The resulting, correctly filtered selection set is what gets sent for scanning.
If the exclude filters are applied first (incorrect order), the system begins with an empty selection set and attempts to remove content - which has no effect. Only afterward does it apply the include filters, adding content from the source set to the selection set. This results in the exclude rules being effectively ignored.
Parameter | Values | Notes | CLI | API |
---|---|---|---|---|
presetName | All the available SAST Presets that exist in the system |
|
|
|
fastScanMode | true / false | By default, the Fast Scan mode is false. For more information, refer to Fast Scan Mode |
|
|
Light Queries | true/false | Determines whether the scan should be performed using light queries or standard queries. Light Queries are simplified versions of standard queries focusing on the most urgent vulnerabilities, helping you spot threats faster. For more information, refer to Light Queries.
| Not Supported |
|
incremental | true / false | Determines whether the scan should be performed incrementally or as a full scan.
|
|
|
recommendedExclusions | true / false | Determines whether the system should automatically exclude certain files and folders from the scan.
| Not Supported |
|
languageMode | primary / multi | For more information see: Specifying a Code Language for Scanning Supported Code Languages and Frameworks:
NoteBy default, the languageMode is Multi. | Not Supported |
|
folder/filter | Allow users to select specific folders or files to include or exclude from the code scanning process. |
|
|
|
engineVerbose | true / false |
| Not Supported |
|
compliance | Submit a list of compliances | This parameter is used to filter which compliance standards are included in the scan results. By default, all supported compliances are returned. If you would like to limit the compliances returned, you can set this parameter and specify an array of compliances to include. This filter applies to the results shown in the UI on the Project Overview page as well as to the results returned in the Results Summary API. WarningSupported only via API. | Not Supported |
|