Strobes come with built-in open-source and commercial scan connectors with which you run different types of SAST, DAST, Network and Cloud scans. In this article, we are gonna look at how we can setup a SAST scan using Spot Bugs.
Spot Bugs is an open-source code review scanner for auditing Java codebase.
Usage Flow Instructions
- Login into Strobes and navigate to the SAST category under Connectors page
- The flow for many of the scan connectors is pretty similar. For the sake of this article, I am selecting SpotBugs.
- In Step One, enter your Configuration Name, select the Baseline and click Next
About Baseline: The purpose of Baseline is to control the noise on the scan results.
- Strict will log vulnerabilities of all severities into the Strobes platform
- High will only log vulnerabilities of Critical and High severity into the Strobes platform
- In Step Two, provide the necessary details such as your Git or SVN repository, Asset to which you want to associate the scan results, Agent etc. and click Next.
- You also have the option to schedule a scan based on your business need.
- In Step 3, you have the option to log the scan results into your ticketing platforms as well as getting the scan alters to your communication tools. Select the appropriate options based on your business need and click Submit.
- You have now successfully created the configuration for SpotBugs. Likewise, the flow is similar for all the connectors.
- Click on New Scan to initiate an ad-hoc scan and provide the necessary branch name that you would want to scan followed by any scanner-specific commands. In case, if you have scheduled the scan, Strobes will trigger the scan automatically when the time comes.
- Once the scan is done, you can view the results.
- You can keep track of the scan status from the Tasks page as well.