Static Application Security Testing (SAST) is a security practice that involves analyzing the source code of applications to identify vulnerabilities. Unlike SCA, CSA, and SBOM scanning, which identify software that your software depends on to run, SAST analyzes your own codebase. SOOS offers a SAST connector, meaning you connect one or more SAST tools of your choice via the SARIF file format. By leveraging your own tool but layering on SOOS, you gain a consistent user experience across all scan types for Governance Policies, Issue Management, Integrated Dashboards with SCA, CSA, DAST and SBOM scans, notifications, and attestations. The main steps involved in SAST scanning include:

  • Codebase Analysis: Run the SAST tool of your choice against your application codebase. Note: you must source and setup a SAST tool that meets your needs, and this tool must provide results in the SARIF format. The SOOS platform does not include a native SAST capability. See OWASP's list of Open Source or Free and Commercial SAST scanners here.
  • Export Results as SARIF: Export the SAST results using the industry standard SARIF file format.
  • Import Results into SOOS: Either upload the results through the SOOS file upload or via the SOOS SAST script.
  • Governance Policies: The SOOS CWE governance policies may be run against SAST results.
  • Issue Creation: Issues are created for any SAST rule violation detected in the SAST results. Note: Some rules may have attestations identified within the code, and these will be imported into SOOS and shown on the web dashboard in the “Attested” workflow state.
  • Report Generation: Scan reports for each analyzed SAST application are created and accessible via the SOOS Developer Dashboard.

SAST has some unique characteristics:

  • Static Analysis: SAST tools, including linters and secrets scanners, analyze source code for vulnerabilities, coding standards violations, and sensitive information leaks without executing the program. SAST tools analyze source code, bytecode, or binaries without executing the program, identifying vulnerabilities early in the development cycle.
  • Comprehensive Coverage: It examines the entire codebase, looking for common vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, and insecure coding practices.
  • Language Specific: Many SAST tools are specific to certain programming languages and frameworks, even if they support multiple languages, the specific rules which are run are usually specific to a certain language.