Understanding Results: The Static Code Analysis Tab

The static code analysis tab gives you the results of the source code analysis. The Infrastructure as Code (IaC) safety check is performed by Rapid Scan Static using the Sigma engine.

Rapid Scan Static is a lightweight SAST (static application security testing) scanner for finding vulnerabilities in source code. It uses the new Sigma engine which was designed from the ground up to be extremely fast. Rapid Scan Static finds vulnerabilities in cloud-native Infrastructure as Code (IaC) configurations. For example, a database may be misconfigured with read access to all customer records which can lead to catastrophic consequences for a firm. It covers all the major cloud providers and technologies such as AWS, Azure, Google Cloud, Terraform, Docker, and Ansible.

Rapid Scan Static also detects hardcoded secrets and credentials in IaC and in source code files developed in languages such as Java, JavaScript/TypeScript.

Many OSS components are used via API calls. Rapid Scan Static has hundreds of checkers blanketing major frameworks and technologies such as openssl, Spring, Node, and React in their use as APIs. For example, an encryption API may be called with a weak hash even though that OSS may not have outstanding CVEs. The incorrect use leads to vulnerability. Rapid Scan Static provides very broad coverage in API Safety for OSS.

For more information about Sigma, see the Sigma documentation in Documentation Portal.

For more information about Sigma checkers, see Sigma checkers in Documentation Portal.

For information about Sigma updates, see the Sigma release notes in Documentation Portal.

Documentation Portal login is required to access these documents.

Issue types

Issue types displays the different issue types which have been detected in the static code analysis. The issue types can be filtered by clicking on an issue type.

Issues

Issues displays the different issues which have been detected in the static code analysis. The issues can be filtered by clicking on an issue.

Severity rating and file information

Severity ratings are shown above the analysed file. The ratings are color-coded according to severity.

By clicking on the file name, you can see the following information for each issue:

  • Summary - summary of the issue
  • Description - description of the issue and possible risks.
  • Code - the code snippet with the detected issue higlighted. The code snippet can be copied by clicking on the copy icon.
  • Remediation - instructions how to correct the issue.
  • Severity - severity level, impact and likelihood.
  • Taxonomies - related Common Weakness Enumeration (CWE).
  • Issue - the corresponding Sigma issue.