JFrog SAST VSCode Extension
Display, visualize and triage scan results produced by JFrog SAST scanner.
Features
- Dashboard -- prioritized presentation of current report status
- Suppressions and Remarks -- mark flows as Fixed or False Positive, add notes to specific locations; persisted in the SARIF file
- Report Import/Export -- store and load the scan results, including manual suppressions and remarks
- Findings Baseline -- usa a baseline report to hide known vulnerabilities and surface only new findings
- Scan on Save -- SAST scan results in the current file updated in real time
Getting Started
Prerequisites
JFrog CLI must be installed and configured:
jf --version # verify installation
jf c add # configure a JFrog Platform server (if not already done)
Using SAST analysis requires entitlements for JFrog Advanced Security feature. In order to verify that the feature is enabled, run jf audit --sast in an empty folder and make sure SAST results banner is printed out. First execution of the command may take some time due to downloading scanners distribution package.
Usage
Running a Scan
Click the Scan button in the Scanner sidebar to scan the source code in the current workspace. Alternatively, another project folder may be selected using the Browse... item in the drop-down menu.
- Click Stop Scan to cancel the scan.
Storing a scan
Use Save Report button on the sidebar to save full report data to a file. The data will enclude all manually added metadata, such as suppressions and remarks.
Loading a previous scan
Click Load Report in the sidebar to load any SARIF 2.1.0 file. For files stored from the plugin, the fix status and remarks on the findings will be restored from the file.
Findings Report
- Dashboard -- card-based severity breakdown of the most important issues
- All Findings -- sortable, filterable table of all issues
Selecting an issue in the report will open the associated Flow Graph if it is available, or directly the affected source code location otherwise. The issues may be annotated manually to mark as Fixed / False positive or leave notes on the finding. For comparison and reference outside the system, use Copy Fingerprints to copy issue fingerprints to clipboard. The fingerprints are robust to unrelated code changes, and can be used to recognize logically equivalent findings.
Flow Graph
Visualizes the data flow analysis associated with each finding to display the affected parts of source code and the relations between them. Clicking on the nodes shows the relevant locations in the codebase if available locally. Each data flow node may be annotated. Marking each node as Fixed / False Positive adjusts the status of the full issue accordingly.
Findings Baseline
Set Report as Baseline button imports a SARIF file containing a previous scan, and hides the findings from the current scan which already appeared previously.
- Clear to remove the baseline and see all findings again
Scan on Save
Upon saving a file (manually or automatically), a SAST scan will be executed in the context of current file, and the results will be posted to Problems panel.
- The feature is enabled / disabled from the extension configuration
Configuration
All settings are under the jfrog-sast namespace:
| Setting |
Type |
Default |
Description |
jfrog-sast.jfrogCliPath |
string |
"jf" |
Path to the JFrog CLI executable |
jfrog-sast.jfrogCliEnv |
object |
{} |
Environment variables passed to JFrog CLI (e.g. JFROG_CLI_LOG_LEVEL) |
jfrog-sast.disableVersionCheck |
boolean |
false |
Disable JFrog CLI version check on startup |
jfrog-sast.autoRestoreSarif |
boolean |
true |
Automatically restore the last SARIF session on startup |
jfrog-sast.severityScores.error |
number |
100 |
Score weight for error-severity vulnerabilities |
jfrog-sast.severityScores.warning |
number |
25 |
Score weight for warning-severity vulnerabilities |
jfrog-sast.severityScores.note |
number |
1 |
Score weight for note-severity vulnerabilities |
jfrog-sast.scan.exclusions |
string[] |
[] |
Glob patterns to exclude from scans (e.g. *node_modules*) |
jfrog-sast.scan.mode |
string |
"" |
Scan mode: "" (CLI default), codebase, file, or directory |
jfrog-sast.scan.customRulesPath |
string |
"" |
Path to a JSON file containing custom SAST rules |
jfrog-sast.scanOnSave.enabled |
boolean |
true |
Enable automatic scanning on file save/open |
jfrog-sast.scanOnSave.fileTypes |
string[] |
.js, .ts, .jsx, .tsx, .py, .java, .go, .rs, .c, .cpp, .cs, .php |
File extensions to scan on save |
VS Code Commands
| Command |
Description |
JFrog SAST: Import SARIF File |
Import a SARIF file for analysis |
JFrog SAST: Show SAST Issues Dashboard |
Open the priority dashboard |
JFrog SAST: Show Vulnerability Flow Graph |
Open the flow graph |
JFrog SAST: Run Scan |
Run a SAST scan on the workspace |
JFrog SAST: Import Baseline |
Import a baseline SARIF for filtering |
JFrog SAST: Clear Baseline |
Remove the active baseline |
JFrog SAST: Export SARIF |
Export current results as a SARIF file |
JFrog SAST: Clear State |
Clear all scan data and reset |
JFrog SAST: Clear All Suppressions |
Remove all suppression markers |
JFrog SAST: Open Settings |
Open JFrog SAST settings |
JFrog SAST: Restart Server |
Restart the SAST analysis server |
License
Apache 2.0
