SAST & DAST

🔥 Vibe Prompt

"Integrate Semgrep SAST and OWASP ZAP DAST into CI/CD pipeline."

SAST with Semgrep

# .github/workflows/sast.yml
on: pull_request
jobs:
  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: >
            p/default
            p/python
            p/javascript
            p/owasp-top-ten
          severity: WARNING

# Custom rule: detect eval() usage
rules:
  - id: no-eval
    pattern: eval(...)
    message: "eval() can lead to RCE"
    languages: [python, javascript]
    severity: ERROR

Python SAST Rules

rules:
  - id: sql-injection
    patterns:
      - pattern: |
          cursor.execute("..." + $QUERY + "...")
      - pattern-not: |
          cursor.execute("...%s...", ...)
    message: "SQL injection vulnerable"
    languages: [python]
    severity: ERROR

  - id: hardcoded-secret
    pattern-either:
      - pattern: 'PASSWORD = "..."'
      - pattern: 'API_KEY = "..."'
      - pattern: 'SECRET = "..."'
    message: "Hardcoded secret detected"
    languages: [python, javascript]
    severity: ERROR

DAST with OWASP ZAP

# .github/workflows/dast.yml
on: deployment
jobs:
  zap:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0
        with:
          target: https://staging.myapp.com
          rules_file_name: .zap/rules.tsv
          cmd_options: '-a'  # Active scan

# ZAP detects:
# - SQLi, XSS, CSRF
# - Missing security headers
# - CORS misconfiguration
# - Information disclosure
# - Authentication issues

SAST vs DAST

| Aspect | SAST | DAST | |--------|------|------| | When | During development | On running app | | What | Source code analysis | Runtime behavior | | Access | Source code needed | No source needed | | False positives | Higher | Lower | | Speed | Fast (minutes) | Slow (hours) | | Coverage | All code paths | Only executed paths |

Secrets Detection (GitLeaks)

- uses: gitleaks/gitleaks-action@v2
  with:
    config-path: .gitleaks.toml

# Detects:
# - AWS keys, GitHub tokens
# - Private keys (RSA, SSH)
# - API keys (Stripe, Twilio)
# - JWT tokens
# - Passwords in code

Best Practices

  • Run SAST on every PR (fast feedback)
  • Run DAST on staging before production
  • Block PRs on SAST ERROR findings
  • Create custom rules for project-specific patterns
  • Use secrets scanning on every push
  • Combine SAST + DAST for full coverage
  • Track findings over time (remediate debt)


SAST vs DAST:兩種安全測試的互補關係

SAST(靜態分析)和 DAST(動態分析)是應用程式安全測試的兩大支柱。它們不是二選一——而是互補。

核心差異

| 比較 | SAST(靜態) | DAST(動態) | |:----|:----------|:----------| | 測試時機 | 編寫程式碼階段 | 應用程式已部署運行 | | 是否需要執行 | ❌ 不需要 | ✅ 需要完整應用啟動 | | 找到的漏洞 | SQL Injection、XSS(原始碼層級) | 認證繞過、配置錯誤(運行層級) | | 誤報率 | 較高 | 較低 | | 整合階段 | IDE / Commit / PR | Staging / Production |

為什麼兩個都需要?

SAST 找得到但 DAST 找不到的:
- 硬編碼的密碼
- 不安全的加密演算法
- 未使用的危險函式

DAST 找得到但 SAST 找不到的:
- 身分驗證繞過
- Business Logic 漏洞
- 不正確的 CORS 配置
- SSL/TLS 設定錯誤

所以 SAST 在開發前期把關,DAST 在部署前期把關——兩者缺一不可。

下一章預告:SCA 軟體組成分析

SAST 和 DAST 分析的是你自己寫的程式碼。下一章的 SCA 分析的是你用到的 open source 套件——另一個重要的攻擊面。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!