Applying a scan policy to the analysis
For the analysis (scan) phase, you can specify a scan policy to help you identify the most serious vulnerabilities so you can remediate the code quickly. The following table describes the three provided scan policies.
| Policy name | Description |
|---|---|
| security |
This is the default scan policy, which excludes issues related to code quality, dataflow from sources that are typically trusted, and issues that are typically noisy from the analysis results. Use this policy to focus code remediation on the security issues. |
| devops |
This scan policy expands on the security policy, by excluding additional issues that might be considered noise, and reducing more low priority issues. Use this scan policy when scan speed is a priority, and developers review results directly (without any intermediate auditing). Issues that remain after you apply this scan policy are probably serious security issues that require remediation. Note: This devops scan policy does not automatically include any customization made to the local security scan policy. |
| classic | This scan policy does not exclude any issues. Use this scan policy to see all issues, or if you prefer to filter issues with project templates so it is easier to see hidden issues. |
To specify a scan policy for your analysis, include the -scan-policy (or -sc) option in the analysis phase as shown in the following example:
sourceanalyzer -b MyProject -scan -scan-policy devops -f MyResults.fpr
Alternatively, you can specify the scan policy with the com.fortify.sca.ScanPolicy property in the fortify-sca.properties file. For example:
com.fortify.sca.ScanPolicy=devops
Note: You can apply a filter file (see Excluding issues with filter files) in addition to a scan policy setting for an analysis. In this case, OpenText SAST applies both the scan policy and the filter file to the analysis.
Creating custom scan policies
The scan policy files reside in the <sast_install_dir>/Core/config/scales directory. There is one file for each scan policy. You can change the settings in these policy files to customize your scan policies or you can create your own scan policy files. For information about the syntax used for the scan policy files, see Excluding issues with filter files.
To create a custom scan policy file:
-
Go to
<sast_install_dir>/Core/config/scales/. -
Open a text editor and create a file named
scan-policy-<name>.txt, where <name> is the name for your custom scan policy. -
Add filters to the
scan-policy-<name>.txtfile and save it. -
To use the custom scan policy for your analysis, type the command as shown in the following example. In this example, the scan policy file name is
scan-policy-myscanpolicy.txt.sourceanalyzer -b MyProject -scan -scan-policy myscanpolicy -f MyResults.fpr
Alternatively, you can specify the custom scan policy in the
fortify-sca.propertiesfile.
See also