G
GuideDevOps
Lesson 4 of 13

SAST

Part of the Security & DevSecOps tutorial series.

What is SAST?

Static Application Security Testing (SAST) is a testing methodology that analyzes your application's source code, bytecode, or binaries for security vulnerabilities without executing the program.

Because it doesn't require a running server, compiled binaries, or a deployed database, SAST is the ultimate "Shift-Left" tool. It can be run on a developer's laptop or instantly upon pushing a commit to a continuous integration (CI) pipeline.

How does SAST work?

SAST tools operate like extremely advanced spell-checkers or linters. They scan your code line-by-line against a massive database of known dangerous programming patterns and coding flaws.

For example, a SAST tool scanning Python code will actively look for:

  • Database queries constructed using raw string concatenation (flagging it as a SQL Injection risk).
  • User input being rendered directly to HTML templates without sanitization (flagging it as a Cross-Site Scripting (XSS) risk).
  • Hardcoded plaintext passwords, IP addresses, or Cryptographic keys.
  • Use of outdated, insecure hashing algorithms (e.g., finding hashlib.md5() instead of hashlib.sha256()).

The Benefits of SAST

  1. Extreme Early Detection: SAST can find vulnerabilities before the code is even complete or capable of being compiled.
  2. Pinpoint Accuracy: When SAST finds a flaw, it tells the developer the exact file name and the exact line of code where the vulnerability exists (e.g., auth.js: Line 42). This makes remediation incredibly fast.
  3. 100% Code Coverage: Unlike dynamic testing (which only tests the pages it knows how to click on), SAST reads every single line of code in the repository, exposing hidden backdoors or obscure edge-cases.

The Drawbacks of SAST

While critical, SAST has significant limitations that must be understood to prevent developer burnout.

1. High False Positive Rate

Because SAST doesn't run the code, it lacks context. If it sees you concatenating a SQL string, it will scream "SQL INJECTION!" Even if that string is entirely hardcoded internally and never touches user input.

If a SAST tool generates 1,000 alerts, and 900 of them are false positives, developers will experience Alert Fatigue and eventually ignore the tool entirely. (Tuning the SAST rules is a full-time job for security engineers).

2. Language Dependent

A SAST tool must literally understand the programming language you are using. If your company writes code in Python, Java, and Go, you must buy a SAST tool that supports all three. If a team decides to experiment with a brand new language like Rust, your legacy SAST tool might be utterly blind to it.

3. Blind to Runtime/Environment Flaws

SAST only looks at application code.

  • It cannot detect if your AWS S3 bucket is configured to be public.
  • It cannot detect if your Nginx proxy allows weak SSL ciphers.
  • It cannot detect if user authentication logic breaks under heavy load.

Implementing SAST in the CI/CD Pipeline

To be effective, SAST must be automated. Running it manually once a month defeats the purpose.

A Modern Workflow:

  1. A developer creates a Pull Request in GitHub to merge their new feature.
  2. GitHub Actions intercepts the Pull Request and triggers the SAST tool (e.g., SonarQube, Checkmarx, or GitHub Advanced Security).
  3. The tool scans the diff (only the modified lines of code to save time).
  4. If a "Critical" or "High" severity vulnerability is found, the CI pipeline throws a red X and strictly blocks the PR from being merged.
  5. A comment is automatically posted on the PR showing exactly why it failed, with a link to documentation on how to fix the flaw.

Popular SAST Tools

  • SonarQube / SonarCloud: Very popular open-source/commercial hybrid. Focuses on code quality and security.
  • GitHub Advanced Security (CodeQL): Native to GitHub. Treats source code like a database you can query for flaws.
  • Checkmarx / Fortify / Veracode: Massive enterprise giants with deep, complex capabilities.
  • Bandit (Python), Gosec (Go), Brakeman (Ruby): Excellent, language-specific open-source scanners.