Static application security testing in SourceCraft

Static application security testing (SAST) analyzes source code to identify vulnerabilities, errors, and security standard violations without executing the actual code.

SourceCraft offers the following SAST tools:

• The built-in OpenGrep analyzer follows the community-developed rules to identify vulnerabilities that are typical for popular programming languages.
• Custom analyzer integration with uploading of results in SARIF format via the CI process.

The OpenGrep and custom analyzer scan results appear in pull requests as comments by the SourceCraft Security Bot.

To view the general list of detected issues:

1. Open the SourceCraft home page.

2. On the Home tab, navigate to Repositories and select a repository.

3. Under Security on the repository page, go to Code scanning.

   Note

   Similarly, you can view a general list of issues for all repositories in the organization.

   This list displays:

   • Issue name and number.
   • Last detected date.
   • Path to the problem file.
   • Risk level.
   • Incident status: Open or Resolved.
   • False positive mark (if any).

   To download a SARIF (Static Analysis Results Interchange Format) file for audit or integration with external systems, click Download SARIF.

   Tip

   You can filter issues by status (Open, Solved, and False positive), severity (Critical, High, Medium, and Low), and scanner type.

   Also, you can sort issues by status or severity.

4. To view detailed information about a specific issue, select it from the list.

   The page that opens displays the issue description, code block where it was detected, and history of events: when the warning was opened, who and when marked it as resolved or reopened it.

   Tip

   On this page, you can also run AI-powered vulnerability analysis.

5. To mark an incident as resolved, follow these steps:

   1. Next to the incident, click Resolve.
   2. Add a comment for the incident.
   3. Optionally, mark the incident as a false positive.
   4. Click Resolve.

6. To reopen an incident, click Reopen next to it.

See also

• Demo repository with vulnerabilities
• Security in SourceCraft
• Setting up a custom security analyzer in SourceCraft
• Security dashboard in SourceCraft
• Analyzing vulnerabilities in SourceCraft repository dependencies
• Secret scanning in a SourceCraft repository
• AI-powered vulnerability analysis in SourceCraft