Skip to main content

SAST Quick Start

This Quick Start includes information on setting up first project scans and an overview of presets.

Setting Up

In the Projects & Scans > Create New Project window perform the following procedure:

Step 1: Enter Project General Settings

  1. Project Name: Provide an appropriate Project Name for the project.

  2. Preset: The Preset will determine the scan rules for the project. Select the appropriate scanning Preset from the drop-down list.

  3. Configuration: Select the Configuration for the new project. For the trial version, it is advised to perform the default selection.

  4. Team: Select the Team for the new project. For the trial version, it is advised to perform the default selection.

  5. Policy: Select a policy for the project. For the trial version, it is advised to select from the default selection.

Notice

It is advised to leave the fields Configuration and Team unchanged in the trial.

6436192300.jpg

Step 2: Select Source To Scan

  1. Select Local to upload code as a ZIP file. The code must be zipped by MS zip. The test account is limited to 350,000 Lines of Code (LOC).

  2. Select Shared, Source Control or Source Pulling, and upload the code in any other format.

6436192297.jpg

Notice

Note that you can scan the "OWASP Benchmark Project" code; go to https://github.com/OWASP/benchmark, click the Clone or download button and select your preferred option.

3. Other sample code for scanning include:

Bookstore.Net; Bookstore.Java; Bookstore.php4; WebGoat5.0; WebGoat6.0; CPP Example; iGoat; Samples; Android.

4. If using a Browser/ Eclipse/ Visual Studio/ IBM RAD, please start with the browser option.

5. When the Finish button becomes active, click Finish to place the project into a queue.

Step 3: Scan Execution

  • In Projects & Scans > Queue, monitor the scan progress by clicking the project line in the queue table.

6436192294.jpg

Reviewing Scan Results

Step 1: Projects & Scans

  • In Projects & Scans > Projects, click Scans List to view the high level summary of scan results and account activity.

6436192291.jpg

For more information on Dashboards click.

Step 2: Review Scan Results in the Source Code

View detailed scan results within the Source Code. Vulnerabilities and navigated attack path are highlighted.

The View Results page is divided into four (4) sections:

  • Scan Results Summary by vulnerability,

  • Results table or Graph,

  • Attack Vector

  • Source code

Scan Result Summary

  • Scan Results Summary pane: Summary of vulnerabilities detected, grouped by High, Medium and Low titles. The summary shows the number of instances of those vulnerability appearances in the code. The “tool tip” displays more information about the specific vulnerability and best practice technique for removal.

6436192387.jpg
  • Source Code pane: View specific points of vulnerabilities detected within the Source Code.

6436192384.jpg
  • Results Table: A listing of each vulnerability instance and detail. Manage results by using the Filter button to organizes data and saves results.

6436192375.jpg
  • Graph: Gain a macro chart perspective vulnerabilities found in code, see correlations and identify the optimal points for fix (red buttons).

6436192378.jpg
  • Attack Vector: Note the full path of code elements that constitute the vulnerability instance selected in the Results pane.

6436192381.jpg

For more information on Working with Scan Results, click.

Preset Manager: Overview

A Preset Setting consists of a group of queries. The Preset Manager enables the viewing of query details in each Preset.

To access the Preset Manager go to Management > Scan Settings > Preset Manager.

Queries contained inside the preset are presented in the right pane and description of vulnerability discovered by each query are described in Query Description below.

6436192288.jpg

For more information on Managing Presets click.