Static (SAST) Scans

Use static analysis to scan source code for security vulnerabilities. To accomplish this, download a small client utility and use its command line interface (CLI) perform security analysis on all supported languages. The client utility also contains a Maven plugin that can be used to scan Java projects. Static analysis plug-ins for Eclipse, IntelliJ IDEA, and Visual Studio are available through their respective marketplaces. Once plugins are installed, you can scan Java projects in Eclipse and IntelliJ IDEA, or .NET (C#, ASP.NET, VB.NET) projects in Visual Studio.

Before you begin

To learn about all of the languages that are supported for static analysis scans, see Language support.

Procedure

To scan your code:
  1. Download and set up the Static Analyzer Client Utility, as described in Setting up the Static Analyzer Client Utility.
  2. Scan or generate an IRX file for your code.
    1. To generate an IRX file by using the CLI, follow the instructions in Generating an IRX file by using the command line interface (CLI). You can scan all supported languages from the CLI.
    2. To generate an IRX file for a Maven project, follow the instructions in Running static analysis for a Maven project.
    3. To scan source code in Eclipse, IntelliJ IDEA, or Visual Studio, follow the instructions in Scanning in integrated development environments. In Eclipse and IntelliJ IDEA, you can scan Java projects - and in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
    Note: When you scan source code or generate an IRX file, you might receive a message about updating to the latest Client Utility. See Client Utility and cloud service version compatibility.
  3. If you not yet done so: Create an application for your scans.
  4. In the Application, click Create Scan to open the wizard, then click Static Scan to start configuring your scan.
  5. Upload File tab: Drag-and-drop your IRX file into the gray area (or Click to select the file), then click Next.
  6. Preferences tab: You can opt to run your scan as a Personal Scan whose security issues will not be added to the issues for the application as a whole. You can also deselect the default option that sends you an email when the scan completes.
  7. Click Review and Scan to proceed to the summary dialog.
  8. You can optionally edit the default name that was given to the scan (the APK file name with a date and time stamp).
  9. Click Scan Now.