> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# defensecode/thunderscan

DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. Developers and AppSec teams can rapidly find and triage security risks and have continuous visibility with every build.


## Jobs

### scan

Scans your application source code for vulnerabilities with DefenseCode ThunderScan® SAST


| Parameter | Type | Default | Description |
|---|---|---|---|
| `alm-trigger` | string |  | Issue tracking trigger ID to be used with the scan |
| `diff` | boolean | false | Indicates if a differential/incremental scan should be performed if there is at least one baseline scan performed against an application. |
| `email-trigger` | string |  | Email trigger ID to be used with the scan |
| `engines` | string | 0 | Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). Default will perform an auto-language recognition scan. |
| `excluded-vt` | string |  | Accepts a comma separated list of vulnerability type IDs to be excluded from the analysis, e.g. 0,1,2,3. |
| `ignore-suppressed` | boolean | false | Indicating if ThunderScan® should ignore previously suppressed vulnerabilities in result output. |
| `image` | string | cimg/base:stable | Enter a custom docker image for this job. By default CircleCI's optimized `cimg/base` image will be used. |
| `parent` | string |  | Specifies the ID of the parent application for the scan.  If set to a wildcard (*), ThunderScan will automatically assign the parent application based on the target source or create a new one. |
| `post-run` | steps |  | A list of steps to run after running the tests/application |
| `pre-run` | steps |  | A list of steps that are run before running the tests/application |
| `purge` | boolean | false | Indicates if the uploaded archive should be deleted from the ThunderScan server following a finished scan. |
| `report` | boolean | false | Indicates if the reports should be generated. |
| `report-filename` | string | thunderscan-report | Specifies the filename of generated report. The input should be without a file extension as the chosen format extensions will be automatically appended to the name. |
| `report-format` | string | html | Accepts a comma separated list of report formats to be generated at the end of the scan, e.g. html,json,xml |
| `scan-name` | string | CircleCI CLI Scan | Specifies the name of the scan. |
| `slack-trigger` | string |  | Slack trigger ID to be used with the scan |
| `threshold` | string | high:1 | Enables the client to break the build or pipeline process by returning an exit code 2 if the results match a defined vulnerability threshold. For example, with the threshold set to "high:5" the build will be interruped only if the scan results contain 5 or more high risk vulnerabilities. Usage - risk:count,risk:count,risk:count |

## Examples

### thunderscan-scan

This example shows how to scan a repository project in the build pipeline with ThunderScan. Note that THUNDERSCAN_API_URL and THUNDERSCAN_API_TOKEN environment variables need to be set in context or project variables.


```yaml
version: '2.1'
orbs:
  thunderscan: defensecode/thunderscan@1.0
workflows:
  build:
    jobs:
      - thunderscan/scan:
          post-run:
            - store_artifacts:
                path: ./thunderscan-report.json
            - store_artifacts:
                path: ./thunderscan-report.html
          report: true
          report-filename: thunderscan-report
          report-format: html,json
          scan-name: $CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM
```