Sast

Static (SAST) Run linters/semgrep/bandit/gosec/spotbugs per language; fail on high severity. Baseline to reduce noise; allow sarif upload to code host for inline review. Secret scanning in every push; block commits with keys. Dynamic (DAST) Stage environment with prod-like config; run zap/owasp/amass scopes carefully. Define allowlist targets; time-bounded scans; throttle to avoid DoS. Pipeline hygiene Shift-left: PR checks for fast SAST; nightly deeper scans. Artifacts stored with build SHA; track findings trend. Break-glass only with approvals; keep rules versioned. Checklist SAST/secret scans on push + PR. DAST on staging with scoped targets. SARIF/uploaded results visible to devs. Findings triaged with SLA.