SAST, DAST, and SCA

The three primary disciplines of automated application security testing. Together they cover source code, running applications, and third-party dependencies — forming the quality-gate layer of a DevSecOps pipeline. Source: DevOps to DevSecOps in 9 Hours

The Three Disciplines

DisciplineFull NameWhat It TestsWhen It RunsStrengthsLimitations
SASTStatic Application Security TestingSource code / bytecode without executionBuild / compile timeFast, finds injection flaws, secret leakage, logic errorsHigh false-positive rate; no runtime context
DASTDynamic Application Security TestingRunning application from the outsideTest / staging environmentFinds real exploitable endpoints, misconfigurations, XSS, SQLiNo source code visibility; late in SDLC
SCASoftware Composition AnalysisOpen-source dependencies and librariesBuild timeFlags known CVEs, license violations, outdated packagesOnly finds known vulnerabilities; zero-days undetected

SAST: Static Analysis

SAST tools parse source code to identify patterns associated with security vulnerabilities. They are the earliest automated control in the pipeline.

What SAST Finds

  • Injection flaws: SQL injection, command injection, LDAP injection, XPath injection
  • Insecure cryptography: Weak hashing algorithms (MD5, SHA1), hardcoded keys
  • Secret leakage: API keys, passwords, tokens committed to source
  • Input validation gaps: Missing sanitization on user-controlled data
  • Insecure configuration: Verbose error messages, debug mode in production

SonarQube

DevOps to DevSecOps in 9 Hours uses SonarQube as the primary SAST platform. SonarQube provides:

  • Quality gates: Fail builds when code coverage, duplication, or security severity thresholds are breached
  • Issue tracking: Assign vulnerabilities to developers with remediation guidance
  • Dashboards: Trend security debt over time
  • Branch analysis: Compare feature branch quality against the main branch

Pipeline Integration

- name: SonarQube Scan
  uses: sonarsource/sonarqube-scan-action@master
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

DAST: Dynamic Analysis

DAST tools attack the running application like an external adversary would. They require a deployed, functional instance (usually staging).

What DAST Finds

  • Runtime misconfigurations: Exposed admin panels, default credentials, missing security headers
  • Authentication weaknesses: Session fixation, weak password policies, brute-force susceptibility
  • Client-side vulnerabilities: Cross-site scripting (XSS), cross-site request forgery (CSRF)
  • Business logic flaws: Privilege escalation via parameter tampering, insecure direct object references (IDOR)
  • API vulnerabilities: Missing rate limiting, excessive data exposure, broken authorization

OWASP ZAP

The course demonstrates OWASP ZAP (Zed Attack Proxy), an open-source DAST tool maintained by the Open Web Application Security Project. ZAP features:

  • Automated scanning: Spider the application and active-scan for vulnerabilities
  • Proxy mode: Manually intercept and modify requests for exploratory testing
  • API scanning: OpenAPI/Swagger-driven automated REST API security tests
  • CI/CD integration: Headless baseline and full scans via command line or Docker
# Baseline scan (fast, non-intrusive)
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://staging.example.com
 
# Full active scan (thorough, potentially destructive — use on staging only)
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://staging.example.com -g gen.conf -r report.html

SCA: Composition Analysis

SCA tools inventory all open-source components and compare them against vulnerability databases (NVD, GitHub Advisory Database, vendor feeds).

What SCA Finds

  • Known CVEs: Publicly disclosed vulnerabilities in specific library versions
  • License compliance: GPL, AGPL, or proprietary conflicts that create legal risk
  • Outdated dependencies: Libraries with unmaintained or deprecated status
  • Transitive risk: Vulnerabilities in dependencies-of-dependencies

Integration Pattern

Most SCA is integrated into the build step because the dependency manifest (package.json, requirements.txt, pom.xml) is the source of truth:

# Snyk CLI example
snyk test --severity-threshold=high
 
# Trivy filesystem scan (also covers SCA)
trivy fs --scanners vuln .

The Layered Testing Strategy

No single discipline is sufficient. A mature pipeline runs all three:

Developer commits code
        ↓
   [SAST + SCA]  ← Build stage; fast feedback on code and dependencies
        ↓
   Unit / Integration Tests
        ↓
   Deploy to Staging
        ↓
   [DAST]  ← Test stage; runtime validation from an attacker's perspective
        ↓
   Manual Penetration Test (periodic)
        ↓
   Production
        ↓
   [Runtime Monitoring]  ← Falco, SIEM, anomaly detection

Quality Gates and SLAs

A typical DevSecOps quality gate policy:

SeveritySASTSCADASTAction
Critical0 allowed0 allowed0 allowedBlock merge / deployment
High≤ 2≤ 2≤ 1Require security team approval
Medium≤ 10≤ 10≤ 5Create backlog ticket; fix in next sprint
LowTrackedTrackedTrackedAddress during refactoring

Relationship to AI-Generated Code

As documented in AI Security, SAST and SCA are especially critical for AI-assisted development because LLMs may:

  • Generate code with known vulnerable patterns (e.g., eval() on user input)
  • Suggest outdated dependencies that contain CVEs
  • Produce hardcoded credentials in generated snippets

SAST provides the deterministic safety net that catches these deterministic mistakes regardless of whether the code was written by a human or an AI.

See Also


Tags: sast dast sca devsecops sonarqube zap pipeline security-testing quality-gates