Skip to main content

Skillber v1.0 is here!

Learn more

SAST & DAST

Checking access...

SAST vs DAST

FactorSASTDAST
WhenPre-commit / CIPost-deploy / staging
Access neededSource codeRunning application URL
What it findsInjection, XSS, hardcoded secrets, insecure cryptoRuntime issues, auth flaws, business logic
False positivesHigher (source code without context)Lower (validated against running app)
SpeedFast (seconds to minutes)Slower (minutes to hours)

SAST: Semgrep Rules

# semgrep rule: detect SQL injection
rules:
- id: sql-injection-detected
patterns:
- pattern: |
$DB.execute("SELECT ..." + $QUERY)
- message: "Potential SQL injection — use parameterised queries"
- severity: ERROR
- languages: [python, javascript]

DAST: OWASP ZAP Configuration

Terminal window
# CI-integrated DAST scan
zap-cli quick-scan \
--spider \
--scanners all \
-l https://staging.example.com \
--fail-on-severity HIGH

Combined Pipeline

security-checks:
stage: security
parallel:
- name: SAST
script: semgrep scan --config=auto --error .
- name: API Security
script: |
# Validate OpenAPI spec for security issues
spectral lint openapi.yaml
- name: INFRA Security
script: checkov -d terraform/