SAST & DAST

๐Ÿ”ฅ Vibe Prompt

"Integrate Semgrep SAST and OWASP ZAP DAST into CI/CD pipeline."

SAST with Semgrep

# .github/workflows/sast.yml
on: pull_request
jobs:
  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: >
            p/default
            p/python
            p/javascript
            p/owasp-top-ten
          severity: WARNING

# Custom rule: detect eval() usage
rules:
  - id: no-eval
    pattern: eval(...)
    message: "eval() can lead to RCE"
    languages: [python, javascript]
    severity: ERROR

Python SAST Rules

rules:
  - id: sql-injection
    patterns:
      - pattern: |
          cursor.execute("..." + $QUERY + "...")
      - pattern-not: |
          cursor.execute("...%s...", ...)
    message: "SQL injection vulnerable"
    languages: [python]
    severity: ERROR

  - id: hardcoded-secret
    pattern-either:
      - pattern: 'PASSWORD = "..."'
      - pattern: 'API_KEY = "..."'
      - pattern: 'SECRET = "..."'
    message: "Hardcoded secret detected"
    languages: [python, javascript]
    severity: ERROR

DAST with OWASP ZAP

# .github/workflows/dast.yml
on: deployment
jobs:
  zap:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0
        with:
          target: https://staging.myapp.com
          rules_file_name: .zap/rules.tsv
          cmd_options: '-a'  # Active scan

# ZAP detects:
# - SQLi, XSS, CSRF
# - Missing security headers
# - CORS misconfiguration
# - Information disclosure
# - Authentication issues

SAST vs DAST

| Aspect | SAST | DAST | |--------|------|------| | When | During development | On running app | | What | Source code analysis | Runtime behavior | | Access | Source code needed | No source needed | | False positives | Higher | Lower | | Speed | Fast (minutes) | Slow (hours) | | Coverage | All code paths | Only executed paths |

Secrets Detection (GitLeaks)

- uses: gitleaks/gitleaks-action@v2
  with:
    config-path: .gitleaks.toml

# Detects:
# - AWS keys, GitHub tokens
# - Private keys (RSA, SSH)
# - API keys (Stripe, Twilio)
# - JWT tokens
# - Passwords in code

Best Practices

  • Run SAST on every PR (fast feedback)
  • Run DAST on staging before production
  • Block PRs on SAST ERROR findings
  • Create custom rules for project-specific patterns
  • Use secrets scanning on every push
  • Combine SAST + DAST for full coverage
  • Track findings over time (remediate debt)

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!