Static code analysis in SourceCraft

Static application security testing (SAST) analyzes source code to identify vulnerabilities, errors, and security standard violations without executing the actual code.

SourceCraft offers the following SAST tools:

• The built-in OpenGrep analyzer follows the community-developed rules to identify vulnerabilities that are typical for popular programming languages.
• Custom analyzer integration with uploading of results in SARIF format via the CI process.

The OpenGrep and custom analyzer scan results appear in pull requests as comments by the SourceCraft Security Bot.

To view a general list of detected issues:

1. Open the SourceCraft home page.

2. On the Home tab, navigate to Repositories and select a repository.

3. Under Security on the repository page, go to Code scanning.

   Note

   Similarly, you can view a general list of issues for all repositories in the organization.

   This list displays:

   • Issue designation and number.
   • Date of last detection.
   • Path to the file where the problem was detected.
   • Conditional designation of the risk level.
   • Incident status: Open or Resolved.
   • False positive mark (if any).

   To download a SARIF (Static Analysis Results Interchange Format) file for audit or integration with external systems, click Download SARIF.

   Tip

   You can filter issues by status (Open, Solved, and False positive), severity (Critical, High, Medium, and Low), and scanner type.

   Also, you can sort issues by status or severity.

4. To view detailed information about a specific issue, select it from the list.

   The page that opens displays a description of the issue, the block of code in which it was detected, and a timeline of events: when the warning was opened, who and when marked it as resolved or reopened it.

   Tip

   On this page, you can also run AI-powered vulnerability analysis.

5. To mark an incident as resolved, follow these steps:

   1. Next to the incident, click Resolve.
   2. Add a comment for the incident.
   3. Optionally, mark the incident as a false positive.
   4. Click Resolve.

6. To reopen an incident, click Reopen next to it.

See also

• Demo repository with vulnerabilities
• Security in SourceCraft
• Setting up a custom security analyzer in SourceCraft
• Security dashboard in SourceCraft
• Analyzing vulnerabilities in SourceCraft repository dependencies
• Secret scanning in a SourceCraft repository
• AI-powered vulnerability analysis in SourceCraft