SAST & DAST
Checking access...
SAST vs DAST
| Factor | SAST | DAST |
|---|---|---|
| When | Pre-commit / CI | Post-deploy / staging |
| Access needed | Source code | Running application URL |
| What it finds | Injection, XSS, hardcoded secrets, insecure crypto | Runtime issues, auth flaws, business logic |
| False positives | Higher (source code without context) | Lower (validated against running app) |
| Speed | Fast (seconds to minutes) | Slower (minutes to hours) |
SAST: Semgrep Rules
# semgrep rule: detect SQL injectionrules: - id: sql-injection-detected patterns: - pattern: | $DB.execute("SELECT ..." + $QUERY) - message: "Potential SQL injection — use parameterised queries" - severity: ERROR - languages: [python, javascript]DAST: OWASP ZAP Configuration
# CI-integrated DAST scanzap-cli quick-scan \ --spider \ --scanners all \ -l https://staging.example.com \ --fail-on-severity HIGHCombined Pipeline
security-checks: stage: security parallel: - name: SAST script: semgrep scan --config=auto --error . - name: API Security script: | # Validate OpenAPI spec for security issues spectral lint openapi.yaml - name: INFRA Security script: checkov -d terraform/