SAST and DAST in CI/CD Pipelines
Integrate SonarQube, Semgrep, or Bandit for static analysis and OWASP ZAP for dynamic scanning in pipelines.
What is Application Security Testing?
Application security testing identifies vulnerabilities before code reaches production. Two complementary approaches: SAST (static, without running code) and DAST (dynamic, testing a running application). Both can be integrated into CI/CD pipelines for shift-left security.
SAST: Static Application Security Testing
SAST analyzes source code, bytecode, or binary for security vulnerabilities without executing the code. It can run on every commit, providing fast feedback.
Strengths: catches bugs early, full code coverage, no running environment needed.
Weaknesses: high false-positive rate, language-specific, misses runtime configuration issues.
All lessons in this course
- SAST and DAST in CI/CD Pipelines
- Software Composition Analysis (SCA)
- Secrets Scanning and Hardcoded Credentials
- Security Champions and Threat Modeling