Skip to main content
Static Application Security Testing (SAST) is an automated security analysis methodology that examines application code to identify potential security vulnerabilities without executing the code. SAST has the following characteristics:
  • White-box Testing: Provides full visibility into application internals
  • Non-runtime Analysis: Performs scans without code execution
  • Early Detection: Identifies vulnerabilities during development phases
  • Language Support: Analyzes multiple programming languages and frameworks
Endor Labs offers two ways to run SAST scans on your first-party code:
  • Rule-based SAST: Pattern-based static analysis powered by Opengrep. Fast, deterministic scans that match your source code against a curated set of rules.
  • AI SAST: LLM-powered agents that find vulnerabilities rule-based scans cannot express, and triage rule-based findings to cut false positives.
  • Enable the default SAST finding policies to generate findings from SAST scans.
  • Endor Labs does not scan the files included in the .gitignore files during a SAST scan. You can also use the nosemgrep annotation in the code to skip a SAST scan. Refer to the Semgrep documentation for more information.
  • You can create exception policies to exclude results from the findings page. See create exception policy for more information.

Rule-based SAST scans

Endor Labs offers several ways to run rule-based SAST scans based on your project setup.
  • SAST scan with endorctl: Run a SAST scan from the command line using endorctl by adding the --sast flag.
  • SAST scan in monitoring scans: Enable SAST scans when you configure monitoring or supervisory scans using the Endor Labs SCM Apps. See SCM Integrations for setup instructions. To disable code snippet storage in SAST scans for monitoring scans, create a scan profile and configure the required settings. This setting applies to all scans that use this scan profile, not just the monitoring scans.
  • SAST scan in Endor Labs GitHub Action: Enable SAST scan in the Endor Labs GitHub Action by setting the scanning parameter scan_sast as true. To disable code snippet storage for SAST scans, set disable_code_snippet_storage as true.

AI SAST scans

Endor Labs offers several ways to run AI SAST scans based on your project setup.
  • AI SAST triage agent with endorctl: Run AI SAST triage agent scans using endorctl by adding the --ai-sast-analysis=agent-fallback flag to your scan command. The AI SAST triage agent automatically classifies findings as true positives or false positives, reducing manual triage effort.
  • AI SAST detection agent with endorctl: Run AI SAST detection agent scans using endorctl to identify security vulnerabilities beyond traditional rule-based detection. The AI SAST detection agent generates new findings labeled with an AI tag.
  • AI SAST scans in SCM apps: Enable AI SAST scans in monitoring or supervisory scans. Create a scan profile for the project and enable AI SAST in the scan profile. The setting applies to all scans that use this scan profile.
  • AI SAST scans in Endor Labs GitHub Action: Run AI SAST scans in the Endor Labs GitHub Action by passing the relevant flag in additional_args.

SAST incremental scans

You can use the --pr-incremental flag to perform an incremental scan on your pull requests or merge requests for SAST. In monitoring scans, incremental scans run by default for PR scans. Endor Labs only scans the files that have changed since the last scan on the baseline branch by computing a diff between the target branch and the baseline branch. Endor Labs identifies the changed files, scans any modified file fully for SAST issues, and skips the scan on unchanged files. Endor Labs does not perform chunk-level or line-level code diff analysis for SAST. If there are more than 1000 modified files, Endor Labs performs a complete scan.