Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Supported languages
  • Support Definitions
  • Global rules
  • Custom SAST Rules
  • Reviewing SAST findings
  • Details
  • History

Was this helpful?

  1. Code Risks

Static Application Security Testing (SAST)

Summary

Arnica's powerful static code analysis feature allows developers to find and fix coding issues and security vulnerabilities in their code. Arnica leverages Semgrep as the backend engine for its SAST scanning capabilities, and adds proprietary customization and automation features. Key advantages with Arnica's SAST capabilities include, expanded rule libraries and language coverage, configurable automation of scans, and the ability to create custom SAST rules for your specific environment, enabling Arnica operators to tailor the analysis to their unique project requirements, coding standards, and security concerns.

Supported languages

The following languages are supported:

Supported
Beta Support
Experimental

C

Swift

Bash

C++

Cairo

C# (.net)

Clojure

Go

Dart

Java

Elixir

JavaScript (including JSX, TSX and TypeScript)

HTML

Kotlin

Jsonnet

PHP

Julia

Python

Lisp

Ruby

Lua

Rust

OCaml

Scala

R

Scheme

Solidity

Support Definitions

Support Level
Definition

Supported

99%+ parse rate and 10+ rules.

Beta Support

95%+ parse rate and 5+ rules.

Experimental

90%+ parse rate and at least one rule.

Global rules

Arnica security research team maintains a rich library of SAST rules which are leveraged within Arnica's SAST scanning. Combined with Semgrep's open source libraries, Arnica's global rules ensure expanded language support and additional security coverage. These rules are derived from customer input, community engagement, and Arnica's security research team, and are continuously improved. By researching enables customers to run their own SAST rules to identify specific risks across the company with minimal changes. This enables customers to override default SAST rules to improve accuracy, change description or risk severity.

Arnica uses the open source rules maintained by Semgrep and then cleans up all rules that were identified to be less valuable, such as code correctness rules, deprecated rules, or other specific rules.

Custom SAST Rules

Reviewing SAST findings

Select the Type column header and filter only SAST findings.

All findings have both basic and expanded information. The basic information can be reviewed in the columns of each finding in the global table. To see the expanded detail of each finding, click on the relevant row. An expended card will appear at the bottom of the screen.

Details

Commit information

The top section within Details contains information from the commit and the Git push event. The first tile includes the commit message, a link to the original commit, and the relative time of the commit timestamp to now.

If the event was captured as part of a git push, the pusher will be shown. Otherwise, the field will be unknown. The author of the commit will be resolved as well.

If the pusher or author is no longer a member of your Git organization, an alert will appear in red next to the name.

Description

The description will include more information about the vulnerability and show the relevant code that is impacted by this vulnerability.

Categorization

Rules are typically tagged with the applicable CWE and OWASP categories.

References

Relevant references are added to the findings. If the rule originates from Semgrep's open-source rules library a link to the rule definition within Semgrep's registry is included in this section.

Remediation owners

History

Each finding has a full history of all events that occurred as part of its lifecycle. The history is comprised of many different events, such as:

  • Feature branches where the vulnerability is introduced or resolved.

  • Notifications or developer actions through Arnica's Slack or Microsoft Teams integration

  • Links to comments in pull requests

  • Links to status checks and the reports Arnica generated in each status check run

  • SLA timer indications

  • Changes to the risk's status

PreviousSecrets Policy SettingsNextCustom SAST Rules

Last updated 1 year ago

Was this helpful?

Arnica enables users to create, manage, and edit custom SAST rules directly within the solution. See more information on

To view all SAST findings, navigate to the .

The Rule ID identifies the specific rule that flagged the code risk. This ID can be used when overriding an existing rule within Arnica. This can be done in Arnica's .

Arnica's unique behavioral models identify and list the names of individuals that are best equipped to help resolve each finding. For example, a user may be listed if they are a frequent pull request reviewer. For more information, see the .

If a to approve a finding dismissal, it will be indicated.

🎼
Custom SAST Rules here.
code risks page
custom SAST rule builder
Prioritization & Product Ownership page
review is required
SAST findings filter
Expanded finding view