SAST

Static Application Security Testing (SAST)#

Using the CLI is very simple to execute a SAST at your source code repository. The results will be sent to your AppSec Flow application by using the project code identifier.

Assuming that my_source_code_repository is a git repository, you can:

$ export FLOW_API_KEY='your-api-key'
$ export FLOW_PROJECT_CODE='your-project-code'
$ cd my_source_code_repository
$ flow sast run

The following instructions has the same effect.

$ cd my_source_code_repository
$ flow --api-key 'your-api-key' sast run --project-code 'your-project-code'

Output#


Issue#

Issue properties.

Issue Properties

TypeDescriptionRequired
titlestring✓ Yes
descriptionstringNo
referencesstring []No
filenamestringNo
lineintegerNo
reporterstringNo
evidencestring✓ Yes
hash_evidence_linestringNo
hash_evidence_fullstringNo
idstring✓ Yes
hash_issuestringNo
severityany✓ Yes

Additional properties are allowed.

issue.title#

  • Type: string
  • Required: ✓ Yes
  • Minimum Length: >= 1

issue.description#

  • Type: string
  • Required: No
  • Minimum Length: >= 1

issue.references#

  • Type: string []
    • Each element in the array must have length greater than or equal to 1.
  • Required: No

issue.filename#

  • Type: string
  • Required: No
  • Minimum Length: >= 1

issue.line#

  • Type: integer
  • Required: No
  • Allowed values:

issue.reporter#

  • Type: string
  • Required: No
  • Minimum Length: >= 1

issue.evidence#

  • Type: string
  • Required: ✓ Yes
  • Minimum Length: >= 1

issue.hash_evidence_line#

  • Type: string
  • Required: No

issue.hash_evidence_full#

  • Type: string
  • Required: No

issue.id#

  • Type: string
  • Required: ✓ Yes
  • Minimum Length: >= 1

issue.hash_issue#

  • Type: string
  • Required: No
  • Minimum Length: >= 1

issue.severity#

  • Type: any
  • Required: ✓ Yes
  • Allowed values:
    • undefined
    • critical
    • high
    • medium
    • low
    • info

issues count#

Issues stats

issues count Properties

TypeDescriptionRequired
totalintegerNumber of issues found.✓ Yes

Additional properties are allowed.

issues_count.total#

Number of issues found.

  • Type: integer
  • Required: ✓ Yes
  • Minimum: >= 0

report#

Sast scan report

report Properties

TypeDescriptionRequired
summarysummaryOverview of issues found during a sast scan.✓ Yes
issuesissue []Issues found during the scan.✓ Yes

Additional properties are allowed.

report.summary#

Overview of issues found during a sast scan.

  • Type: summary
  • Required: ✓ Yes

report.issues#

Issues found during the scan.

  • Type: issue []
  • Required: ✓ Yes

summary#

Overview of issues found during a sast scan.

summary Properties

TypeDescriptionRequired
technologiesstring []Set of technologies scanned for issues.✓ Yes
issues_countissues_countIssues stats✓ Yes

Additional properties are allowed.

summary.technologies#

Set of technologies scanned for issues.

  • Type: string []
    • Each element in the array must have length greater than or equal to 1.
  • Required: ✓ Yes

summary.issues_count#

Issues stats

  • Type: issues_count
  • Required: ✓ Yes
  • Type of each property: integer