SAST scan with Endor Labs

Static Application Security Testing (SAST) is an automated security analysis methodology that examines application code to identify potential security vulnerabilities.

SAST has the following characteristics:

  • White-box Testing: Provides full visibility into application internals
  • Non-runtime Analysis: Performs scans without code execution
  • Early Detection: Identifies vulnerabilities during development phases
  • Language Support: Analyzes multiple programming languages and frameworks

Endor Labs integrates Opengrep to provide SAST scan with endorctl.

Opengrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Opengrep parses the source code, applies pattern matching based on rules, and reports matches based on the rule specifications. Opengrep rules are in the yaml format.

When you run a SAST scan, Endor Labs downloads Opengrep and works seamlessly. If you wish, you can use Semgrep instead of Opengrep with Endor Labs. See Use Semgrep with Endor Labs for more information.

Endor Labs includes a set of curated rules. You can create your own rules or import rules with the rule designer.

When you scan with the SAST option enabled, Endor Labs uses Opengrep to scan for weaknesses in your source code based on the enabled rules and generates results based on the configured finding policies.

SAST scan results are available in the Findings page. See View SAST Findings for more information.

You can create exception policies to exclude results from the findings page. See Create exception policy for more information.

You can create a finding policy using predefined templates to control which SAST results appear as findings. See SAST policies for more information.

Endor Labs determines the severity of findings by combining two factors from the SAST rule: impact and confidence. Impact measures the potential consequences if a security issue were to be exploited. Confidence represents how certain the system is that a detected pattern indicates a genuine security issue rather than a false positive.

The following matrix shows how Endor Labs resolves severity by combining impact and confidence.

High Impact Medium High Critical
Medium Impact Low Medium High
Low Impact Low Low Medium
Low Confidence Medium Confidence High Confidence

Endor Labs supports single-function analysis for the following languages through curated rules and custom user rules.

  • Java
  • JavaScript
  • Python
  • C#
  • C/C++
  • Go
  • Kotlin
  • TypeScript
  • Ruby
  • Rust
  • JSX
  • PHP
  • Scala
  • Swift
  • Terraform
  • json
  • Generic

Ensure that you complete the following prerequisites before you proceed to do a SAST scan using endorctl.

Install endorctl and configure your environment to run Endor Labs scan.

You can run a SAST scan with endorctl with the following command.

endorctl scan --sast -n <project namespace>

See Run a SAST scan for more information on the command options.

You can enable SAST scans when you configure monitoring or supervisory scans using the Endor Labs GitHub App, Azure DevOps App, and GitLab App. See Monitoring scans for more information. To disable the storage of code snippet in SAST scans for monitoring scans, you need to create a scan profile for your monitoring scan with disable code snippet storage as enabled. Note that the setting applies to all scans that you use this scan profile and not just the monitoring scans.

You can also enable SAST scan in the Endor Labs GitHub Action. Set the scanning parameter, scan_sast as true. To disable code snippet storage for SAST scans, set disable_code_snippet_storage as true. See Scan with GitHub Actions for more information.