SAST & DAST
🔥 Vibe Prompt
"Integrate Semgrep SAST and OWASP ZAP DAST into CI/CD pipeline."
SAST with Semgrep
# .github/workflows/sast.yml
on: pull_request
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: semgrep/semgrep-action@v1
with:
config: >
p/default
p/python
p/javascript
p/owasp-top-ten
severity: WARNING
# Custom rule: detect eval() usage
rules:
- id: no-eval
pattern: eval(...)
message: "eval() can lead to RCE"
languages: [python, javascript]
severity: ERROR
Python SAST Rules
rules:
- id: sql-injection
patterns:
- pattern: |
cursor.execute("..." + $QUERY + "...")
- pattern-not: |
cursor.execute("...%s...", ...)
message: "SQL injection vulnerable"
languages: [python]
severity: ERROR
- id: hardcoded-secret
pattern-either:
- pattern: 'PASSWORD = "..."'
- pattern: 'API_KEY = "..."'
- pattern: 'SECRET = "..."'
message: "Hardcoded secret detected"
languages: [python, javascript]
severity: ERROR
DAST with OWASP ZAP
# .github/workflows/dast.yml
on: deployment
jobs:
zap:
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-baseline@v0
with:
target: https://staging.myapp.com
rules_file_name: .zap/rules.tsv
cmd_options: '-a' # Active scan
# ZAP detects:
# - SQLi, XSS, CSRF
# - Missing security headers
# - CORS misconfiguration
# - Information disclosure
# - Authentication issues
SAST vs DAST
| Aspect | SAST | DAST | |--------|------|------| | When | During development | On running app | | What | Source code analysis | Runtime behavior | | Access | Source code needed | No source needed | | False positives | Higher | Lower | | Speed | Fast (minutes) | Slow (hours) | | Coverage | All code paths | Only executed paths |
Secrets Detection (GitLeaks)
- uses: gitleaks/gitleaks-action@v2
with:
config-path: .gitleaks.toml
# Detects:
# - AWS keys, GitHub tokens
# - Private keys (RSA, SSH)
# - API keys (Stripe, Twilio)
# - JWT tokens
# - Passwords in code
Best Practices
- Run SAST on every PR (fast feedback)
- Run DAST on staging before production
- Block PRs on SAST ERROR findings
- Create custom rules for project-specific patterns
- Use secrets scanning on every push
- Combine SAST + DAST for full coverage
- Track findings over time (remediate debt)
SAST vs DAST:兩種安全測試的互補關係
SAST(靜態分析)和 DAST(動態分析)是應用程式安全測試的兩大支柱。它們不是二選一——而是互補。
核心差異
| 比較 | SAST(靜態) | DAST(動態) | |:----|:----------|:----------| | 測試時機 | 編寫程式碼階段 | 應用程式已部署運行 | | 是否需要執行 | ❌ 不需要 | ✅ 需要完整應用啟動 | | 找到的漏洞 | SQL Injection、XSS(原始碼層級) | 認證繞過、配置錯誤(運行層級) | | 誤報率 | 較高 | 較低 | | 整合階段 | IDE / Commit / PR | Staging / Production |
為什麼兩個都需要?
SAST 找得到但 DAST 找不到的:
- 硬編碼的密碼
- 不安全的加密演算法
- 未使用的危險函式
DAST 找得到但 SAST 找不到的:
- 身分驗證繞過
- Business Logic 漏洞
- 不正確的 CORS 配置
- SSL/TLS 設定錯誤
所以 SAST 在開發前期把關,DAST 在部署前期把關——兩者缺一不可。
下一章預告:SCA 軟體組成分析
SAST 和 DAST 分析的是你自己寫的程式碼。下一章的 SCA 分析的是你用到的 open source 套件——另一個重要的攻擊面。