BestHub
Sign in
Information Security 6 min read

Guide to Using Synopsys Polaris SaaS for Static Application Security Testing (SAST)

This article explains what Synopsys Polaris is, lists the programming languages it supports, describes how to access the SaaS platform, install the CLI, configure the polaris.yml file with capture and analysis settings, and run scans to obtain detailed vulnerability reports.

DevOps Engineer
DevOps Engineer
DevOps Engineer
Guide to Using Synopsys Polaris SaaS for Static Application Security Testing (SAST)

Polaris is a SaaS platform for static application security testing (SAST) provided by Synopsys, offering a web interface to classify, fix, and report vulnerabilities.

SAST analyzes source code or build artifacts to find security flaws early in the software development lifecycle.

Polaris supports many languages such as C/C++, C#, Java, JavaScript, TypeScript, PHP, Python, Swift, and more.

The SaaS instance is accessed via a URL like https://organization.polaris.synopsys.com , where projects can be linked to Git repositories.

To run scans, download and install the polaris_cli-linux64.zip client, add its bin directory to PATH , and configure a polaris.yml file at the project root.

The YAML file defines capture settings (Build, Filesystem, Buildless) and analyze options; examples are provided for C/C++, Java, and C# projects.

Typical capture configurations are shown in a table mapping languages to recommended capture types.

Run analysis with a command such as polaris -c polaris.yml analyze -w --coverity-ignore-capture-failure . The console output reports success and a summary of issues by severity, with a link ( SummaryUrl ) to view detailed results in the Polaris UI.

Example C/C++ YAML configuration:

version: "1"
project:
  name: test-cplus-demo
  branch: ${scm.git.branch}
  revision:
    name: ${scm.git.commit}
    date: ${scm.git.commit.date}
capture:
  build:
    cleanCommands:
      - shell: [make, -f, GNUmakefile, clean]
    buildCommands:
      - shell: [make, -f, GNUmakefile]
analyze:
  mode: central
install:
  coverity:
    version: default
serverUrl: https://organization.polaris.synopsys.com

Example Java YAML configuration (truncated for brevity):

version: "1"
project:
  name: test-java-demo
  ...
capture:
  build:
    cleanCommands:
      - shell: [gradle, -b, build.gradle, --no-daemon, clean]
    buildCommands:
      - shell: [gradle, -b, build.gradle, --no-daemon, shadowJar]
fileSystem:
  ears:
    extensions: [ear]
  ...
analyze:
  mode: central
install:
  coverity:
    version: default
serverUrl: https://organization.polaris.synopsys.com

Example C# YAML configuration (truncated for brevity):

version: "1"
project:
  name: test-ssharp-demo
  ...
capture:
  build:
    buildCommands:
      - shell: ['script\polaris.bat']
    skipFiles:
      - "*.java"
      - "*.text"
      - "*.js"
analyze:
  mode: central
install:
  coverity:
    version: default
serverUrl: https://organization.polaris.synopsys.com
Software SecurityYAMLstatic analysisPolarisCode ScanningSASTSynopsys
DevOps Engineer
Written by

DevOps Engineer

DevOps engineer, Pythonista and FOSS contributor. Created cpp-linter, commit-check, etc.; contributed to PyPA.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment