> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.endorlabs.com/feedback

```json
{
  "path": "/scan/sast/index",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# SAST (Static Application Security Testing)

> Find security vulnerabilities in your first-party code.

Static Application Security Testing (SAST) is an automated security analysis methodology that examines application code to identify potential security vulnerabilities.

SAST has the following characteristics:

* **White-box Testing**: Provides full visibility into application internals
* **Non-runtime Analysis**: Performs scans without code execution
* **Early Detection**: Identifies vulnerabilities during development phases
* **Language Support**: Analyzes multiple programming languages and frameworks

Endor Labs integrates [Opengrep](https://www.opengrep.dev/) to provide SAST scan with endorctl.

Endor Labs enhances SAST scanning with AI analysis that evaluates each finding to determine whether it represents a genuine security vulnerability or a false positive. This automated classification streamlines your security workflow by eliminating the need for manual triage of every alert, allowing your team to prioritize and address real threats more efficiently. See [AI analysis with SAST scan](/scan/sast/run-a-sast-scan#sast-scan-with-ai-analysis) for more information.

Opengrep is an open-source, static analysis tool that finds bugs and vulnerabilities in the source code using pattern matching. Opengrep parses the source code, applies pattern matching based on rules, and reports matches based on the rule specifications. Opengrep rules are in the yaml format.

When you run a SAST scan, Endor Labs downloads Opengrep and works seamlessly. If you wish, you can use Semgrep instead of Opengrep with Endor Labs.

<Warning>
  If you use Semgrep with Endor Labs, SAST scan is supported on macOS and Linux, and not supported on Windows.
</Warning>

Endor Labs includes a set of [curated rules](/scan/sast/manage-sast-rules). You can [create your own rules](/scan/sast/manage-sast-rules/create-sast-rule) or [import rules](/scan/sast/manage-sast-rules/import-sast-rule) with the rule designer.

<Note>
  Enable the [default SAST finding policies](/platform-administration/policies/finding-policies/sast-policies) to generate findings from SAST scans.
</Note>

When you run a [SAST scan](/scan/sast/run-a-sast-scan), Endor Labs uses Opengrep to scan for weaknesses in your source code based on SAST rules and generates findings depending on the finding policies.

<Tip>
  Endor Labs does not scan the files included in the `.gitignore` files during SAST scan. You can also use the `nosemgrep` annotation in the code to skip SAST scan. Refer to the [Semgrep Documentation](https://semgrep.dev/docs/ignoring-files-folders-code#ignore-code-through-nosemgrep) for more information.
</Tip>

Login to [Endor Labs](https://app.endorlabs.com/login) to view the findings of a SAST scan. See [SAST Findings](/scan/sast/viewing-sast-findings) for more information.

You can create exception policies to exclude results from the findings page. See [create exception policy](/scan/sast/create-exception-policy) for more information.

You can create a finding policy using predefined templates to control which SAST results appear as findings. See [SAST policies](/platform-administration/policies/finding-policies/sast-policies) for more information.

## SAST severity matrix

Endor Labs determines the severity of findings by combining two factors from the SAST rule: impact and confidence. Impact measures the potential consequences of exploiting a security issue. Confidence represents  the certainty that a detected pattern is a genuine security issue rather than a false positive. If either factor cannot be determined, the severity defaults to low.

The following matrix shows how Endor Labs resolves severity by combining impact and confidence.

<div style={{maxWidth: '500px'}}>
  <table style={{borderCollapse: 'collapse', width: '100%'}}>
    <tbody>
      <tr>
        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500, verticalAlign: 'middle'}}>High Impact</th>
        <td style={{padding: '0.8rem', background: 'hsl(25, 100%, 62%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Medium</td>
        <td style={{padding: '0.8rem', background: 'hsl(357, 76%, 49%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>High</td>
        <td style={{padding: '0.8rem', background: 'hsl(346, 60%, 35%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Critical</td>
      </tr>

      <tr>
        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500, verticalAlign: 'middle'}}>Medium Impact</th>
        <td style={{padding: '0.8rem', background: 'hsl(47, 100%, 50%)', color: 'black', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Low</td>
        <td style={{padding: '0.8rem', background: 'hsl(25, 100%, 62%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Medium</td>
        <td style={{padding: '0.8rem', background: 'hsl(357, 76%, 49%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>High</td>
      </tr>

      <tr>
        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500, verticalAlign: 'middle'}}>Low Impact</th>
        <td style={{padding: '0.8rem', background: 'hsl(47, 100%, 50%)', color: 'black', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Low</td>
        <td style={{padding: '0.8rem', background: 'hsl(47, 100%, 50%)', color: 'black', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Low</td>
        <td style={{padding: '0.8rem', background: 'hsl(25, 100%, 62%)', color: 'white', textAlign: 'center', fontWeight: 'bold', border: '1px solid rgba(128,128,128,0.25)'}}>Medium</td>
      </tr>

      <tr>
        <td style={{background: 'transparent', border: 'none'}} />

        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500}}>Low Confidence</th>
        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500}}>Medium Confidence</th>
        <th style={{padding: '0.8rem', background: 'rgba(128,128,128,0.15)', color: 'inherit', border: '1px solid rgba(128,128,128,0.25)', fontWeight: 500}}>High Confidence</th>
      </tr>
    </tbody>
  </table>
</div>

## Language support

Endor Labs supports single-function analysis for the following languages through curated rules and custom user rules:

```expandable theme={null}
- Apex
- Bash
- C
- Cairo
- Circom
- Clojure
- C++
- C#
- Dart
- Dockerfile
- Elixir
- Generic
- Go
- Hack
- HTML
- Java
- JavaScript
- JSON
- Jsonnet
- Julia
- Kotlin
- Lisp
- Lua
- Move
- OCaml
- PHP
- PromQL
- Protobuf
- Python
- QL
- R
- Regex
- Ruby
- Rust
- Scala
- Scheme
- Solidity
- Swift
- Terraform
- TypeScript
- XML
- YAML
```

## SAST scan in Endor Labs

Endor Labs offers multiple ways to run SAST scans based on your project setup.

1. [AI-analyzed SAST scan with endorctl](#ai-analyzed-sast-scan-with-endorctl)
2. [SAST scan in monitoring scans](#sast-scan-in-monitoring-scans)
3. [SAST scan in Endor Labs GitHub Action](#sast-scan-in-endor-labs-github-action)

### AI-analyzed SAST scan with endorctl

You can run AI-analyzed SAST scans using endorctl by adding the `--ai-sast-analysis=agent-fallback` flag to your scan command. The AI agent automatically classifies findings as true positives or false positives, reducing manual triage effort. See [Run a SAST scan](/scan/sast/run-a-sast-scan) for more information.

### SAST scan in monitoring scans

You can enable SAST scans when you configure monitoring or supervisory scans using the Endor Labs SCM Apps. See [SCM Integrations](/setup-deployment/scm-integrations) for more information. To disable  code snippet storage in SAST scans for monitoring scans, create a scan profile with disable code snippet storage as enabled. This setting applies to all scans that you use this scan profile, not just the monitoring scans.

### SAST scan in Endor Labs GitHub Action

You can also enable SAST scan in the Endor Labs GitHub Action. Set the scanning parameter, `scan_sast` as `true`. To disable code snippet storage for SAST scans, set `disable_code_snippet_storage` as `true`. See [Scan with GitHub Actions](/setup-deployment/ci-cd/scan-with-github-actions) for more information.

## SAST incremental scans

You can use the `--pr-incremental` flag to perform an [incremental scan](/scan/pr-scans#perform-incremental-pr-scan) on your pull requests or merge requests for SAST. In [Monitoring scans](#sast-scan-in-monitoring-scans), incremental scans run by default for PR scans. Endor Labs only scans the files that have changed since the last scan on the baseline branch by computing a diff between the target branch and the baseline branch. Endor Labs identifies the changed files, scans any modified file fully for SAST issues, and skips the scan on unchanged files. Endor Labs does not perform chunk-level or line-level code diff analysis for SAST. If there are more than 1000 modified files, Endor Labs performs a complete scan.