SAST + DAST in CI: Quick Wins

Add static and dynamic security testing to CI/CD with minimal friction.

September 5, 2024 · 3377 views

Pipeline illustration

Static (SAST)

Run linters/semgrep/bandit/gosec/spotbugs per language; fail on high severity.
Baseline to reduce noise; allow sarif upload to code host for inline review.
Secret scanning in every push; block commits with keys.

Dynamic (DAST)

Stage environment with prod-like config; run zap/owasp/amass scopes carefully.
Define allowlist targets; time-bounded scans; throttle to avoid DoS.

Pipeline hygiene

Shift-left: PR checks for fast SAST; nightly deeper scans.
Artifacts stored with build SHA; track findings trend.
Break-glass only with approvals; keep rules versioned.

Checklist

SAST/secret scans on push + PR.
DAST on staging with scoped targets.
SARIF/uploaded results visible to devs.
Findings triaged with SLA.