Configure static application security testing (SAST) scanning to automatically detect security vulnerabilities and code quality issues in your source code during the development process. SAST scanning analyzes source code wiithout executing it, identifying potential security flaws, coding errors, and adherence to security best practices across multiple programming languages. Before you begin, ensure you have component management permissions and access to the security tools you want to configure.
Choose your SAST scanning approach
CloudBees Unify supports two approaches for SAST scanning: implicit scanning through application security posture management (ASPM) and explicit scanning through workflow actions.
To choose the right approach:
-
Determine your scanning needs:
-
Choose implicit scanning for continuous security monitoring that automatically triggers when components are created or code is committed
-
Choose explicit scanning for custom workflow integration with specific scan timing and configuration control
-
-
Identify your programming languages and technology stack to select compatible SAST scanners from the available options
Your choice affects which configuration steps to follow in the subsequent sections.
Configure implicit SAST scanning
Implicit SAST scanning integrates with ASPM to provide automatic security analysis across your application portfolio.
| You must have ASPM enabled for your organization and the Manage security tools permission to configure implicit scanning. |
To configure implicit SAST scanning:
-
Navigate to in your organization
-
Filter the available tools:
-
Select SAST from the Category filter, or
-
Search for specific scanner names in the search field
-
-
Select and activate your chosen SAST scanner(s) by selecting the toggle switch from the available implicit scanners:
-
Checkov: Infrastructure as Code (IaC) security scanning
-
Gitleaks: Git repository secret detection
-
Gosec: Go-specific security analysis
-
Klocwork: Enterprise SAST for Java, C++, C#, and Python (requires configuration)
-
njsscan: Node.js security analysis
-
SCC Scanner: Language analyzer (enabled by default)
-
Snyk IaC: Infrastructure as Code security analysis
-
Snyk SAST: Comprehensive multi-language SAST analysis
-
FindSecBugs: Java binary security analysis
Additional implicit scanners for binary analysis include Grype, Syft SBOM, and Trivy.
The system activates the selected scanners for all components in your organization hierarchy.
-
-
Configure scanner-specific settings if required:
-
Access individual scanner configuration through the Marketplace
-
Set file inclusion or exclusion patterns as needed
-
Configure severity thresholds and reporting preferences
Scanner configuration options vary by tool. Refer to individual scanner documentation for detailed configuration guidance.
-
Once configured, implicit scanning automatically analyzes code when you create components or commit changes to linked repositories.
Configure explicit workflow SAST scanning
Explicit workflow SAST scanning provides granular control over when and how security analysis runs within your CloudBees Unify workflows.
To configure explicit workflow SAST scanning:
-
Add SAST scanning actions to your workflow YAML file in the appropriate job step. Available explicit SAST scanners include:
-
SonarQube bundled: Headless SonarQube for standalone analysis
-
SonarQube plugin: Integration with centralized SonarQube instance
-
Snyk SAST: Multi-language security analysis
-
Mend SAST: Security-focused static analysis
-
Nexus IQ SAST: Enterprise policy-driven analysis
-
GitHub Advanced Security: Native GitHub integration
-
Gosec: Go-specific security analysis
-
FindSecBugs: Java security analysis
-
njsscan: Node.js security analysis
-
Checkmarx SAST: Enterprise-grade analysis
-
Checkov: Infrastructure as Code scanning
-
-
Configure scanner authentication and credentials:
-
Create the required secrets in your CloudBees Unify organization or component settings
-
Set up API tokens, server URLs, and organization names as required by your chosen scanner
Common authentication patterns include:
-
Token-based: Most scanners require API tokens stored as secrets
-
Server URL: Some enterprise scanners require custom server endpoints
-
Organization context: Many scanners require organization or account identifiers
-
-
-
Customize scan parameters for your specific needs:
-
Define file inclusion or exclusion patterns using scanner-specific syntax
-
Set scan timeout values appropriate for your codebase size
-
Configure result output formats and reporting options
Example with custom parameters:
- name: Scan with Mend SAST uses: https://github.com/cloudbees-io/mend-sast-scan-code@v1 with: server-url: ${{ vars.MEND_SERVER_URL }} token: ${{ secrets.MEND_SECRET }} language: "LANGUAGE_PYTHON"
-
| Explicit scanning requires manual workflow configuration and maintenance. Ensure your team has the expertise to manage scanner updates and configuration changes. |
For detailed information about SAST scanner inputs, usage examples, and language support, refer to SAST scanner reference.
| Use multiple complementary scanners to achieve comprehensive coverage across different languages and security analysis approaches in your codebase. |
Review and manage SAST findings
After configuring SAST scanning, access and manage your security findings through the CloudBees Unify Security Center.
To review SAST findings:
-
Navigate to in your organization
-
Select the appropriate view:
-
Component Security Center for component-specific findings
-
Application Security Center for application-level security posture
-
-
Review findings by severity level, scanner type, and remediation status
-
Use the triage workflow to prioritize and track remediation efforts
Results from explicit scanner actions also appear in the security insights dashboard under . For more information, refer to Investigate security insights.
For detailed guidance on findings management, refer to Triage security findings.