This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

SAST scan with Endor Labs

Beta

Static Application Security Testing (SAST) is an automated security analysis methodology that examines application source code, bytecode, or binary files to identify potential security vulnerabilities without program execution.

SAST has the following characteristics:

  • White-box Testing: Provides full visibility into application internals
  • Non-runtime Analysis: Performs scans without code execution
  • Early Detection: Identifies vulnerabilities during development phases
  • Language Support: Analyzes multiple programming languages and frameworks

Endor Labs integrates Semgrep OSS to provide SAST scan with endorctl.

Semgrep is an open-source, static analysis tool that finds bugs and vulnerabilities in source code using pattern matching. Semgrep parses source code, applies pattern matching based on rules, and reports matches based on rule specifications. Semgrep rules are in the yaml format. Endor Labs ships several predefined rules. You can use the rule editor to create your own rules.

Endor Labs includes a set of curated rules. You can create your own rules or import rules with the rule designer. You need to create a finding policy and apply rules to the finding policy so that SAST scan generates findings based on the rules.

When you scan with the SAST option enabled, Endor Labs uses Semgrep to scan for CWE in your source code and generates results based on the rules defined in the system and your finding policy.

SAST scan with endorctl

Ensure that you complete the following prerequisites before you proceed to do a SAST scan using endorctl.

Install endorctl

Install endorctl and configure your environment to run Endor Labs scan.

Download Semgrep

You need to download and install Semgrep OSS on your machine before you run a SAST scan.

Though Semgrep supports installation with Brew on macOS, it does not support installation of a specific version.

To install Semgrep you need to have a Python environment set up on your machine with pip.

Ensure that you install Semgrep version 1.99.0.

pip install semgrep==1.99.0

Run SAST scan with endorctl

You can run a SAST scan with endorctl with the following command.

endorctl scan --sast -n <project namespace>

See Run a SAST scan for more information on the command options.

SAST scan in monitoring scans

You can enable SAST scans when you configure monitoring or supervisory scans using the Endor Labs GitHub App, Azure DevOps App, and GitLab App. See Monitoring scans for more information. To disable the storage of code snippet in SAST scans for monitoring scans, you need to create a scan profile for your monitoring scan with disable code snippet storage as enabled.

SAST scan in Endor Labs GitHub Action

You can also enable SAST scan in the Endor Labs GitHub Action. Set the scanning parameter, scan_sast as true. To disable code snippet storage for SAST scans, set disable_code_snippet_storage as true. See Scan with GitHub Actions for more information.

1 - SAST Rules

Endor Labs uses Semgrep compatible rules for SAST scans. Endor Labs includes hundreds of rules for various languages, including rules created by Endor Labs and vetted third-party rules. To this end, Endor Labs reviews existing open source rules and complements them with Endor Labs rules to cover additional technologies or vulnerabilities types.

You can edit existing rules in your tenant to make modifications specific to your environment. You can also create new custom rules with the rule designer based on your requirements. You can also use the rule designer to add any Semgrep rules as a custom rule.

Refer to Semgrep Rules Documentation for more information on how to write a rule.

From the left sidebar, navigate to Policies and Rules and select SAST RULES to view all SAST rules in the system.

SAST rules

You can use the toggle against a rule to enable or disable the rule during the scan.

You can search for rules based on various parameters like rule name, languages, CWE, and tags.

Rule Permissions

You can create SAST rules in your tenants, and can edit, delete, or propagate them to child namespaces. But you cannot edit rules that are marked as Endor Labs or 3rd Party. You can choose to disable the rule to not apply them during scanning or clone them to modify the rules.

1.1 - Clone a SAST rule

You can clone an existing SAST rule and use that as a base to build your own rule.

Cloning a rule provides the following benefits:

  • You can make changes to a rule and review the results instead of directly editing an existing rule.
  • You can create a clone of a rule that you do not have permission to edit and make your changes.

To clone a SAST rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click on the three dots menu next to a rule and select Clone.

    A copy of the rule appears in the list of rules with the rule name in the format, <original rule name\>-\<number of the clone\>. For example, if you clone the rule Arbitrary Code Execution - Unsanitized inputs for the first time, a clone rule is created with the name, Arbitrary Code Execution - Unsanitized inputs-1.

    Clone SAST rule

  3. Click the edit button next to the cloned rule to edit the cloned rule according to your requirements.

    See Edit a SAST Rule for more information.

1.2 - Create a SAST rule

To create a rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.
  2. Click Create SAST Rule.
  3. Enter the SAST rule in the yaml format. Create SAST rule
  4. Click Save to save the rule.

1.3 - Edit a SAST rule

You can edit only the custom SAST rules. You cannot edit or delete Endor Labs or third-party rules.

To edit a SAST rule:

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click the edit button of a rule and select Edit Rule.

    Edit SAST rule

  3. After you complete the edits, click Save to save the rule. You can also delete or disable a rule from the Edit SAST Rule screen.

1.4 - Import SAST rules

You can import Semgrep-compatible SAST rules that you create as yaml files. The files must have yaml or yml extensions and the rules should be inside a gzip or tar archive.

Import SAST rules through the user interface

You can bulk import rules through the user interface.

  1. From the left sidebar, navigate to Policies and Rules and select SAST RULES.

  2. Click Import.

    Import SAST rule

  3. Click Browse and select the archive file that contains the rules.

  4. Enter the version of the rule, if required.

    If you do not enter a version and the rules already exist in the system, the rule upload may fail.

Import SAST rules with endorctl

You can bulk import a number of rules using the following command.

endorctl rule-set import --file-path <file> --rule-version <version> -n namespace

Option Description
-n, --namespace Namespace of the project with which you are working. Mandatory.
—-file-path The path to the file that contains the rule set that should be imported. Supported file types are .tar and .gz.
—rule-version The semantic version that applies to all the rules in the set. The command fails if there are any rules that exist with this version.

2 - Run a SAST scan

To run a SAST scan on a project run the following command. endorctl scan --sast -n <project namespace>

You can run the endorctl scan --sast command with the following options.

Option Description
-n, --namespace Namespace of the project with which you are working. Mandatory.
--include-path Limit the scan to the specified file paths or directories using Glob style expressions. For example, --include-path="src/java/**”, scans all the files under src/java, including any subdirectories, while --include-path="src/java/*”, only includes the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wildcards.
--exclude-path Specify one or more file paths or directories using Glob style expressions. For example, --include-path="src/java/**”, scans all the files under src/java, including any subdirectories, while --include-path="src/java/*”, only includes the files directly under src/java. Paths must be relative to the root of the repository. Use quotes to ensure that your shell does not expand wildcards.
--disable-code-snippet-storage Specify the flag to disable storing the code snippet that violates the SAST policy.
--path The path to issue the scan.

3 - Create Exception Policy for SAST Findings

Exception policies define the conditions for applying an exception to a finding. When an exception is applied to a finding, it is tracked as an exception and action policies do not apply to it. Findings with exceptions are filtered out from Endor Labs reports by default.

See Exception Policies for more information.

Instead of creating an exception policy, you can also use the following methods to avoid findings:

  • Disable the rule under SAST Rules
  • Use the include-path and exclude-path to scan parts of the project

You can create an exception policy so that you can mark a SAST finding as an exception.

For example, you want to mark findings with the description, Detected Potential Open Redirect Vulnerability in Angular Application, as exceptions.

  1. From the left sidebar, select Policies.

  2. Select EXCEPTION POLICIES.

  3. Click Create Exception Policy to create a new exception policy.

  4. Select Standard Exception Find Attributes as the POLICY TEMPLATE.

  5. Enter Detected Potential Open Redirect Vulnerability in Angular Application in Finding Name Contains.

  6. Select from the following reasons why you are applying this exception:

    • In Triage: The finding is still being triaged for more information.
    • False Positive: The finding is a false positive.
    • Risk Accepted: The risk associated with the finding is accepted.
    • Other: Another reason applies for this exception.

  7. Select when the exception should expire.

    Options include 30, 60, 90 days, and Never.

  8. Assign Scope for which this exception policy should apply. Scopes are defined by the tags assigned to a project.

    • In Inclusions, enter the tags of the projects that you want to apply an exception to.
    • In Exclusions, enter the tags of the projects that you do not want to apply an exception to. Exclusions take precedence over the inclusions, in case of a conflict.
    • Click the link to view the projects included in the finding policy.

    See Tagging projects for more information about creating project tags.

  9. Enter a human-readable Name for your exception policy.

  10. Enter a Description for your exception policy that explains its function.

  11. Enter any Policy Tags that you want to associate with your policy. Tags can have a maximum of 63 characters and can contain letters, numbers, and characters = @ _ -

  12. Click Create Exception Policy.

Create exceptions from Findings page

You can also create exceptions from the Findings page.

Select the Finding for which you want to create an exception and select Actions > Add Exception Policy.

The Create Exception Policy page appears where you can add a new exception policy. The template parameters are automatically updated based on the vulnerability.

You can use this feature to specifically apply exception to findings with a specific hash value. For example, Detected Potential time of check time of use vulnerability (open/fopen): ID #e81f27. This exception policy after creation only applies to the SAST findings with this hash ID and not any others.

4 - View SAST Findings

You can view SAST findings in the Findings page.

  1. From the left sidebar, select Findings.

  2. In the Findings page, select SAST under First Party Code.

    View SAST findings

  3. You can use the filters to further refine the SAST findings.

  4. Select the detail icon in a finding to view the detailed information.

    View SAST finding details

  5. Select Rule to view the rule that triggered the finding.

    View SAST finding rules

  6. You can select Actions > Export all or select the required findings and select Actions > Export to export findings as a CSV file.

    SAST finding export

Group by filters for SAST findings

You can use the group by filters to have granular view of SAST findings in your project.

You can group findings by the following parameters for SAST:

  • Findings
  • Rule ID
  • Location

  1. From the left sidebar, select Projects.

  2. Select the project for which you want to view the findings.

  3. In the Findings page, select SAST under First Party Code.

    SAST finding group by

  4. Select the required group by filter, for example, Rule ID.

    SAST finding group by rule ID