Skip to main content
Rule-based SAST scans are fast and deterministic, but they generate a high number of false positives that drain developer time. Endor Labs’ AI SAST triage agent analyzes and intelligently triages SAST findings when you run a SAST scan. The AI agent leverages a large language model (LLM) to examine code context, trace data flows, and evaluate security controls. It automatically classifies each finding as either a True Positive, indicating a genuine security vulnerability, or a False Positive. This eliminates the need for manual review of every alert, allowing you to focus on addressing real security threats. AI analysis starts with the fast agent mode, but automatically falls back to deep analysis mode when a true positive is detected. This provides a balance between speed and accuracy by using detailed analysis only when needed. To run an AI SAST triage agent scan, use the following command. 
endorctl scan --sast --path=/path/to/code -n <namespace> --ai-sast-analysis=agent-fallback
To view the findings generated by this scan, see View AI SAST triage agent findings. AI analysis does not process findings from test files such as unit tests and integration tests, or findings with low severity ratings. See AI triage behavior to learn more.

AI triage process

The AI triage process uses a large language model (LLM) to systematically evaluate each finding through the following steps:
  1. Identify SAST rule match location: Locate the exact code line where the SAST rule was triggered and examine the matching code patterns.
  2. Trace data flow from source to sink: Follow the data flow from where it enters the application to where it is used in potentially vulnerable code to determine if user-controlled input reaches vulnerable paths.
  3. Examine function calls and security controls: Review function calls in the data flow path, including sanitizers, validators, and other security controls that may mitigate risks.
  4. Analyze function context and application usage: Understand the purpose of functions involved in the rule match, how they are used in the application, and the application context such as web application, test file, or code example.
  5. Classify findings as true or false positive: Evaluate all gathered information including whether inputs are user-controlled or hard-coded, presence of sanitization functions, application context, and existing security controls to classify the finding as a true positive or false positive.
AI triage processes only new findings and existing un-analyzed findings. If findings are not analyzed in the scan, they will be taken up in the next one. The triage process runs for up to 5 minutes by default. To modify the analysis timeout duration, use the --ai-sast-analysis-timeout flag: 
endorctl scan --sast --path=/path/to/code -n <namespace> --ai-sast-analysis-timeout=10m

AI triage behavior

Control which findings are analyzed by AI triage and manage re-analysis behavior. By default, AI triage analyzes only new findings and previously un-analyzed findings, skipping any that have already been triaged. When running AI SAST triage agent scans, use the --ai-sast-rescan option to remove all existing AI analyses and re-analyze every finding from scratch. 
endorctl scan --sast --path=/path/to/code -n <namespace> --ai-sast-analysis=agent-fallback --ai-sast-rescan
The following types of findings are automatically excluded from AI triage. To include them, set the corresponding environment variable to false: You can generate and match findings based on AI classification by configuring these criteria when creating a finding policy or an action policy from a template:
  • AI Analysis Status: Select True Positive or False Positive to match findings by their AI analysis result.
  • AI SAST: Select Yes to match only findings generated by the AI SAST detection agent in action policies.

AI SAST triage agent scan options

The endorctl scan --sast command supports the following options for AI SAST triage agent scans.

View AI SAST triage agent findings

When you run a SAST scan with --ai-sast-analysis=agent-fallback, the AI SAST triage agent analyzes the findings to determine if they are true security issues or false positives. The agent automatically tags verified true positives with True Positive and false positives with False Positive for easy filtering. To view AI SAST triage agent findings:
  1. Select Findings > SAST from the left sidebar.
  2. Use the Attributes filter and select True Positive or False Positive to filter findings.
  3. Select a finding to view the details.
    • AI Analysis: Indicates the AI agent’s classification and analysis of the finding.
      • Classification: Specifies if the finding is categorized as a true positive or false positive, including the associated confidence level.
      • Analysis Summary: A brief explanation of the security issue identified, including why the finding was triggered and what type of vulnerability it represents.
      • Security Impact: The risk level and potential consequences if the vulnerability is exploited.
      • Technical Details: Technical explanation of how the vulnerability can be exploited, including the source and sink points in the code.
      • Data Flow Analysis: Traces how untrusted data flows through your code from input to the vulnerable point.
      • Security Controls: Displays what security protections exist or are missing in the code.
      • Risk Assessment: Detailed reasoning for why the finding is classified as a true positive or false positive, with supporting evidence.
      • AI Remediation: Suggested code fix to address the vulnerability.
    • Info, Rule, Explanation, and Metadata: Displays the underlying SAST rule information, detailed explanations of the security issue, remediation guidance, and metadata such as CWE classifications and security tags.
      • Info: Contains key metadata for the finding, including confidence, impact, first detected time, project, and rule ID.
      • Rule: The specific SAST rule that detected the finding, including rule description and code examples.
      • Explanation: Analysis summary, security impact, and technical details about why this is a SAST finding.
      • Remediation: General remediation guidance for addressing this type of vulnerability.
      • References: Links to relevant security references such as CWE definitions.
      • Metadata: Contains classification details such as the CWE ID, affected languages, security tags applied to the finding, and detected rule version.