> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SAST

> How Batou scans code in real time as AI agents write it

Turen includes **Batou**, a real-time static application security testing (SAST) engine that scans code as AI coding agents write it. Findings are surfaced inline to Claude Code and reported to the dashboard for visibility and tracking.

## How It Works

Batou runs as a Claude Code hook on every file write and edit:

<Steps>
  <Step title="Code written">
    Claude Code creates or edits a file via Write, Edit, or NotebookEdit.
  </Step>

  <Step title="Batou scans">
    The hook sends the file content to the Batou engine, which runs pattern-based and semantic rules against the code.
  </Step>

  <Step title="Findings evaluated">
    Each finding is scored by **confidence** (how likely it is a real issue) and classified with a CWE identifier.
  </Step>

  <Step title="Decision made">
    Based on your organization's thresholds, the finding either **blocks** the write (PreToolUse) or **warns** inline (PostToolUse).
  </Step>

  <Step title="Results reported">
    Scan results and findings are sent to the Turen platform for dashboard visibility and lifecycle tracking.
  </Step>
</Steps>

## Where to Configure

Go to **Agentic Security > Software Security** (`/security/software`) and select the **SAST** tab.

### Blocking Presets

Blocking presets control when Batou blocks a write vs. warns. Presets are based on **confidence tiers**:

| Tier        | Description                                  |
| ----------- | -------------------------------------------- |
| **Highest** | Near-certain issues only: minimal friction   |
| **High**    | High-confidence findings block, others warn  |
| **Medium**  | Moderate and above confidence findings block |
| **Low**     | Most findings block: maximum protection      |

Choose the preset that matches your organization's risk tolerance. You can also disable individual rules from the dashboard.

### Disabling Rules

From the SAST tab, expand any rule to see its details and toggle it off. Disabled rules are skipped during scans across all agents in your organization.

## Finding Lifecycle

Every Batou finding has a lifecycle status that tracks its resolution:

| Status         | Meaning                                                            |
| -------------- | ------------------------------------------------------------------ |
| **Active**     | Finding is present in the current code and unresolved              |
| **Blocked**    | Finding triggered a block: the write was prevented                 |
| **Fixed**      | Finding was present but has been resolved in a subsequent edit     |
| **Suppressed** | Developer marked the finding as acceptable risk via inline comment |

Lifecycle transitions are tracked over time and visible in the dashboard under **Issue Resolution**.

## Inline Suppression

To suppress a finding that is a false positive, add a comment above the flagged line:

```javascript theme={null}
// batou:ignore RULE-ID -- reason why this is a false positive
```

Supported formats:

| Format          | Example                                                     |
| --------------- | ----------------------------------------------------------- |
| **Single rule** | `// batou:ignore BATOU-AUTH-011 -- JWT auth is CSRF-immune` |
| **Category**    | `// batou:ignore injection -- parameterized query used`     |
| **Block**       | `// batou:ignore-start xss` ... `// batou:ignore-end`       |

Suppressed findings are reported to the dashboard with their suppression reason.

## Dashboard

The SAST dashboard is available under **Monitor > Dashboards** and provides several views:

### Scan Activity

Lines scanned and average scan time over your selected time range. Tracks scanning volume across your organization.

### Detection Confidence

Distribution of findings by confidence tier, showing how many findings fall into each confidence level. Higher-confidence findings are more likely to be real issues.

### Top Active Risks

The highest-confidence unresolved findings across your organization, ranked by confidence score. Use this to prioritize remediation.

### Vulnerability Categories

Breakdown of findings by CWE category (e.g., CWE-79 XSS, CWE-89 SQL Injection), showing which vulnerability classes appear most frequently.

### Issue Resolution

Tracks finding lifecycle over time: how many findings are Active, Fixed, Suppressed, or Blocked. Use this to measure your organization's remediation velocity.

## Supported Languages

Batou scans files based on their extension. Currently supported:

| Language   | Extensions                    |
| ---------- | ----------------------------- |
| JavaScript | `.js`, `.jsx`, `.mjs`, `.cjs` |
| TypeScript | `.ts`, `.tsx`                 |
| Python     | `.py`                         |
| Go         | `.go`                         |
| Java       | `.java`                       |
| Ruby       | `.rb`                         |
| PHP        | `.php`                        |
| Shell      | `.sh`, `.bash`, `.zsh`        |

## Claude Code Integration

Batou integrates with Claude Code via hooks configured automatically by the Turen agent. No developer setup is needed.

The agent registers hooks on two event types:

* **PreToolUse**: Scans before the write is applied. Can **block** the write if a finding exceeds the confidence threshold.
* **PostToolUse**: Scans after the write is applied. Provides **hints** to Claude Code about findings that didn't meet the blocking threshold.

When a finding blocks a write, Claude Code receives remediation guidance and is expected to fix the issue before retrying.
