Configure Data Theorem SAST

Owned by Victor Wang
Jul 20, 2023
2 min read

Data Theorem’s SAST engine allows multiple levels of configuration.

Within the Data Theorem portal, an administrative user can configure which code repositories should be scanned in the SAST Configuration page.

Data Theorem’s SAST engine also allows configuring the behaviour of the scanner within the context of a single repo. This is configured via a file that can optionally be provided at the root directory of the repository: data_theorem_analyzer_config.yaml. This file allows fine-grained control over the scanning behaviour, such as specifying which of the repository’s branches should be scanned.

The data_theorem_analyzer_config.yaml file is optional, and doesn’t need to be specified for each repository included in the SAST scanning: if present, the file will override the global SAST engine settings that have been configured in the Data Theorem portal.

Disabling SAST scans on specific branches

By specifying the disable_sast_scans_on_branches key, the Data Theorem SAST engine will only scan a commit if the commit was made on a non-excluded branch.

When the SAST engine skips scanning a given commit due to the parent branch’s inclusion in disable_sast_scans_on_branches, the SAST engine will attempt to display this event in the SCM UI, if the SCM supports it. For example, the SAST engine will display a ‘skipped action’ status in the Github UI.

Example

disable_sast_scans_on_branches: - branch-name-1 - branch-name-2 - hotfix-branch-1

Caveats

  • If the data_theorem_analyzer_config.yaml configuration file isn't present, or the disable_sast_scans_on_branches key isn't specified, commits to any branch will be scanned.

  • Branch names are case sensitive.

Rulepack Selection

The Data Theorem SAST engine supports multiple modes of operation to allow developers, and security teams, to tune the scanner behaviour. This allows your team to select the right tradeoff for you between the highest possible coverage, the acceptable level of ‘noise’ in the findings, and the turnaround time for each SAST scan.

The engine behaviour can be controlled by specifying the rule_packs key within the data_theorem_analyzer_config.yaml file. If this setting is omitted, Data Theorem’s default rulepack policy will be used, which strikes a balance we find appropriate for general use.

Currently defined rulepacks:

  • ALL

  • STANDARD

  • CRITICAL

  • SECRETS_SCANNING

  • GATEKEEPER_GAMBLING

  • P1_ISSUES

  • API_RULES

Example

rule_packs: - STANDARD - GATEKEEPER_GAMBLING

Caveats

  • When specifying multiple rule packs, we’ll combine their rules together during the scan