SAST, DAST, and SCA are the three scanner classes that anchor a DevSecOps pipeline. This module covers what each actually detects, how to choose tools, and how to wire them into CI without turning your build times into a latency incident.

Clear definitions

SAST (Static Application Security Testing): analyzes source code or compiled bytecode without running it. Detects code-level patterns — SQL injection via unsanitized input, hardcoded crypto keys, unsafe deserialization. Strengths: broad coverage, language-aware. Weaknesses: false positives, limited data-flow reach for dynamic languages
DAST (Dynamic Application Security Testing): interacts with the running application via HTTP, attempts attacks, observes responses. Detects runtime behaviour — reflected XSS that actually fires, SQL errors surfaced by a specific payload, weak auth flows. Strengths: tests real runtime behaviour. Weaknesses: needs staging deployment; coverage depends on what the scanner can reach
SCA (Software Composition Analysis): inventories the libraries your code depends on; compares against vulnerability databases. Detects “your code uses log4j 2.14.0 which has CVE-2021-44228.” Strengths: fast, deterministic. Weaknesses: only as good as the database; doesn’t know whether the vulnerable function is actually reached from your code

SAST — tool landscape in 2026

Semgrep — open source + commercial, fast, rule-based pattern matching in 30+ languages. Sweet spot for startups. Rule authoring is accessible — you can write custom rules for your codebase’s specific patterns
SonarQube / SonarCloud — broad language support, quality and security combined. Free tier for public repos, paid for private
Snyk Code — AI-assisted. Good JavaScript/TypeScript/Python coverage. Paid
Checkmarx — enterprise, deep dataflow analysis, slow, expensive. Common in banking/FSI
Veracode — SaaS, cloud-analysis model. Reports are audit-friendly
GitHub Advanced Security (CodeQL) — if you are already on GitHub, the integration ease is significant. Strong Java, C/C++, Go, Python

For most teams: start with Semgrep (free tier catches 70% of common issues) + GitHub code scanning. Upgrade only when you need specific features.

SAST integration — the minimal CI job

# .github/workflows/security.yml
name: Security Scan
on: [pull_request]

jobs:
  semgrep:
    runs-on: ubuntu-latest
    container: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: |
          semgrep ci \
            --config p/security-audit \
            --config p/owasp-top-ten \
            --config p/r2c-ci \
            --sarif --output semgrep.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

Managing SAST false positives

The single biggest reason SAST programs die: too many false positives, developers stop reading reports. Tuning approaches:

Baseline existing findings — mark all current findings as accepted; gate only on new findings. Forces monotonic improvement without demanding a big-bang backlog clear
Per-finding suppression with justification comment in code. Audit suppressions quarterly
Rule tuning — disable low-signal rules; write custom rules for your known-bad patterns
Triage SLA — every new high-severity finding has a 3-business-day triage target. Not fix target — triage (is it real, is it exploitable, what’s the plan)

DAST — tools and strategy

OWASP ZAP — free, open source. Decent out of the box. Headless mode for CI (zap-full-scan.py)
Burp Suite Enterprise — commercial, scheduled scans of staging, integration with Jenkins/CI
StackHawk — DAST as a service, designed for CI integration. Spec-driven (gives the scanner your OpenAPI doc so it actually knows the API)
Nuclei — template-based, fast, narrow. Good for CVE-matching and cloud misconfiguration checks. Not a full DAST

DAST strategy — where it goes in CI

DAST against every PR is usually too slow. Typical pattern:

Every PR: fast baseline scan (ZAP baseline, ~5 min) — catches HTTP-header misses and known-safe checks
Nightly: full active scan against staging
Pre-release: focused scan against release candidate
Post-deploy to prod: scheduled scan of production external-facing endpoints

Feeding DAST an OpenAPI spec

A DAST scanner without a spec is crawling blind. With an OpenAPI/Swagger spec, it knows every endpoint, parameter, required field — and tests systematically:

# Example with ZAP
docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t https://api.staging.example.com/openapi.json \
  -f openapi \
  -z "-config scanner.attackMode=HIGH"

# Or with StackHawk
hawk scan --api openapi.json --env staging

SCA — the supply chain scanner

Dependabot (GitHub-native) — free, opens PRs to upgrade vulnerable dependencies. Enable-by-default on all repos
Snyk Open Source — richer vulnerability database, severity/reachability insights, paid
OWASP Dependency-Check — free CLI; decent but noisy
Trivy — scans images AND source repos for dependency vulns; open source
Renovate — dependency automation; covers more ecosystems than Dependabot

Reachability — the thing SCA often misses

Default SCA says “you use libfoo 1.2.3, which has CVE-X.” Better SCA says “you use libfoo 1.2.3, which has CVE-X, and your code actually calls the vulnerable function.” The second is 10x more actionable. Tools offering reachability: Snyk, Endor Labs, Semgrep Supply Chain.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

3 more sections locked below

Module 2 · SAST, DAST & SCA in CI 🔒