SAST & DAST
๐ฅ Vibe Prompt
"Integrate Semgrep SAST and OWASP ZAP DAST into CI/CD pipeline."
SAST with Semgrep
# .github/workflows/sast.yml
on: pull_request
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: semgrep/semgrep-action@v1
with:
config: >
p/default
p/python
p/javascript
p/owasp-top-ten
severity: WARNING
# Custom rule: detect eval() usage
rules:
- id: no-eval
pattern: eval(...)
message: "eval() can lead to RCE"
languages: [python, javascript]
severity: ERROR
Python SAST Rules
rules:
- id: sql-injection
patterns:
- pattern: |
cursor.execute("..." + $QUERY + "...")
- pattern-not: |
cursor.execute("...%s...", ...)
message: "SQL injection vulnerable"
languages: [python]
severity: ERROR
- id: hardcoded-secret
pattern-either:
- pattern: 'PASSWORD = "..."'
- pattern: 'API_KEY = "..."'
- pattern: 'SECRET = "..."'
message: "Hardcoded secret detected"
languages: [python, javascript]
severity: ERROR
DAST with OWASP ZAP
# .github/workflows/dast.yml
on: deployment
jobs:
zap:
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-baseline@v0
with:
target: https://staging.myapp.com
rules_file_name: .zap/rules.tsv
cmd_options: '-a' # Active scan
# ZAP detects:
# - SQLi, XSS, CSRF
# - Missing security headers
# - CORS misconfiguration
# - Information disclosure
# - Authentication issues
SAST vs DAST
| Aspect | SAST | DAST | |--------|------|------| | When | During development | On running app | | What | Source code analysis | Runtime behavior | | Access | Source code needed | No source needed | | False positives | Higher | Lower | | Speed | Fast (minutes) | Slow (hours) | | Coverage | All code paths | Only executed paths |
Secrets Detection (GitLeaks)
- uses: gitleaks/gitleaks-action@v2
with:
config-path: .gitleaks.toml
# Detects:
# - AWS keys, GitHub tokens
# - Private keys (RSA, SSH)
# - API keys (Stripe, Twilio)
# - JWT tokens
# - Passwords in code
Best Practices
- Run SAST on every PR (fast feedback)
- Run DAST on staging before production
- Block PRs on SAST ERROR findings
- Create custom rules for project-specific patterns
- Use secrets scanning on every push
- Combine SAST + DAST for full coverage
- Track findings over time (remediate debt)