Specifies the Mend SAST® API token to be used with all requests.
--engines [list of engines] JSON: engines ENV:SASTCLI_ENGINES
Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g., 1,2). This list can also be set through the environment variable SASTCLI_ENGINES. If omitted, Mend SAST® will perform an auto-language recognition.
Indicates if the CLI should upload the scan data as a new baseline for incremental scans. The baseline will include minimum relevant fragments of code representation in order to enable incremental scans.
Indicates if CLI and engine logs should be submitted to Mend.
The CLI and engine logs will be submitted to the SAST server, but if you want to manually review them, they are located under the user's HOME directory (%USERPROFILE% on Windows and $HOME on Linux), in the .sastcli/logs directory.
Specifies the size of source code snippets submitted to the SAST server. The default value is 10, the minimum value 1. An example can be found below this table. NOTE: If snippetsize is set to a value less than 1 while submitfiles is set to true, an error message is thrown
Mend SAST® will not upload your full source code to the cloud. It only stores as much information as necessary to help you understand the dataflow of a detected finding. By default, snippets with a length of 10 lines are uploaded, but you can further reduce this to one single line.
Indicates if the CLI should generate a report through the server. This parameter must be used in combination with --formats. Can be used in combination with --filename to specify the filename of generated reports (without extension). Reports can only be generated if --wait is not set to false (default is true and the wait parameter can be omitted).
Specifies the filename of the generated report. The input should be without a file extension as the extension will be automatically appended based on the --formats input. If not specified, the filename will be automatically set Report-%ID%, where %ID% is the scan ID.
--numcpu [num] JSON: ENV:
Specifies the number of logical CPUs for multicore processing. Default is maximum.
The following variables can only be defined in the configuration file or as environment variables.
Their use is closely related to pipeline integrations, and enables breaking the build or pipeline process by returning an exit code 9 if a threshold is violated.
For example, if the threshold is set to "high:5" the build will be broken if the scan results contain 5 or more high risk vulnerabilities. If it is set to “low:3”, the build will be broken if the scan results contain a combination of 3 or more vulnerabilities of low risk, medium or high risk. Similarly, with a threshold of “medium:3” the build will be broken if it contains three or more vulnerabilities of medium and/or high risk.
NOTE: There is no automatic or implied dependency among the high, medium, and low thresholds. Each threshold must be specified separately, and they are ORed together. For example, “high:3”, “medium:4” and “low:5” means that if any of these thresholds is exceeded, the build will break.
The CWE threshold works somewhat differently: it does not take into account the number and severity of the findings. Instead the CWE threshold will break the build if any finding is reported whose CWE number matches one of the CWE numbers specified in the parameter. For example, "cwe": ["CWE-89", "CWE-77"] specifies that any finding for CWE number 89 (SQL Injection) or for CWE number 77 (Command Injection) will break the build. Other findings will not break the build.
These parameters can also be set through the SASTCLI_THRESHOLD environment variables (see the table below).