What is SAST (Static Application Security Testing) and how is it used in CI?
Answer
SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. It is called "static" because it runs against the code at rest, not against a running application. In CI pipelines, SAST runs automatically on every pull request or push. Common SAST tools include: Snyk (scans code and dependencies for known vulnerabilities, supports all major languages), Semgrep (rule-based code pattern scanner, highly customizable), Bandit (Python security scanner), CodeQL (GitHub's semantic code analysis, finds complex logic bugs), and Checkmarx (enterprise). SAST catches issues like SQL injection patterns, insecure cryptography usage, hardcoded secrets, and dangerous function calls early in the development cycle, before they reach production. The tradeoff is false positives — SAST tools must be tuned to avoid alert fatigue.
Previous
What are code quality gates (SonarQube, coverage thresholds) in CI/CD?
Next
What is DAST (Dynamic Application Security Testing) and where does it fit in CD?
More CI/CD Pipelines Questions
View all →- Intermediate What is blue-green deployment and how does it achieve zero-downtime releases?
- Intermediate What is a canary release and how does it reduce deployment risk?
- Intermediate What is a rolling deployment and how does it compare to blue-green?
- Intermediate What are feature flags and how do they integrate with CI/CD?
- Intermediate What is the testing pyramid in CI/CD and where does each test type run?