Skip to main content

Extraction mode for SaaS scan tools

Extraction scans can be useful when you're working with SaaS-based scanners such as SonarQube and Burp Enterprise, where you can extract scan results from an API endpoint.

The most common use cases for Extraction mode are:

  1. Extract results from a scan that has already run.

    Suppose you have a scan job defined in your SaaS instance that automatically scans a target whenever it gets updated. In this case, you can use Extraction mode to ingest the latest scan results for that target.

  2. Extract results from a custom scan.

    • Orchestration mode is useful if you're running a default scan in the SaaS instance.

    • Extraction mode is useful when you have a custom scan job defined in the SaaS instance. An example pipeline might look something like this:

      1. A Run step sends a request to the SaaS API that starts the custom scan.
      2. A scan step runs in Extraction mode. When the custom scan finishes, the step extracts the results from the scanner API and correlates, deduplicates, and ingests the results.
Orchestration scanExtraction scan
  1. STO sends scan request to SaaS instance.
  2. SaaS runs scan, returns results.
  3. STO correlates, deduplicates, ingests results.

Completed scan results stored on server.

  1. STO requests results from SaaS instance.
  2. SaaS returns results.
  3. STO correlates, deduplicates, ingests results.

Example 1: SonarScanner extraction workflow

Here's a simple extraction setup for SonarScanner:

  1. Add a Build or Security stage to your pipeline.

  2. Add a SonarQube step and configure it as follows.

Scan settings

  1. Scan mode = Extraction
  2. Scan configuration:
    • Default Extract results for the Main branch defined in SonarQube. SonarQube Community Edition supports extracting scan results for the Main branch only.
    • Branch Scan Extract results based on how the pipeline is executed:
      • Manual executions - The branch defined in SonarQube (Target variant, specified below)

      • Triggered executions - The pull request defined in SonarQube

Target settings

  1. Target and variant detection = Manual.
  2. Target name This should match the code repository name in SonarQube.
  3. Target variant This should match the branch or PR defined in SonarQube.

Authentication/tool settings

  1. Domain The SonarQube instance URL.
  2. Access token to your SaaS instance.
  3. SonarQube project key.

Example 2: Anchore Enterprise extraction workflow

Here's a simple extraction setup for Anchore Enterprise:

  1. Add a Build or Security stage to your pipeline.

  2. Add an Anchore Enterprise step and configure it as follows.

Scan mode

  1. Scan mode = Extraction

Target

  1. Target and variant detection = Manual
  2. Target name should match the image Name
  3. Target variant should match the image Tag

Scan tool

  1. Image name The name of the image that you want to extract from Anchore. In Extraction mode, the image to scan must be located on the Anchore server. You should include both the image name and tag, for example ubuntu:20.04.

Authentication

  1. Domain The Anchore Enterprise SaaS URL
  2. Access ID
  3. Access token