In the era of Artificial Intelligence as a work buddy, it is imperative that security is enforced as development progresses. It could be tempting to treat security as an afterthought, but that will be detrimental to the software development lifecycle. It should be development plus security.
A DevSecOps orchestration system consists of many security policies like static application security testing (SAST), software composition analysis (SCA), secrets detection, infrastructure-as-code (IaC) security, CI/CD pipeline security, and application security posture management (ASPM).
A robust DevSecOps pipeline must:
- Continuously scan code and dependencies
- Enforce policies automatically
- Provide actionable feedback to developers
- Integrate seamlessly into developer workflows
Static Application Security Testing (SAST) analyzes source code, bytecode, or binaries without executing the application — hence the word static. SAST tools read your code the way a security-savvy reviewer would, looking for dangerous patterns: SQL injection vectors, hardcoded credentials, insecure deserialization, buffer overflows, and more.
SAST tools perform one or more of the following analyses:
- Lexical / pattern matching: Simple regex-based rules flagging known dangerous function
calls or string patterns (e.g.,
eval(),strcpy()). - Dataflow analysis: Tracks how untrusted input flows through the codebase, ensuring user-supplied data are sanitized properly.
- Control flow analysis: Maps execution paths to identify code that can be reached in unsafe states.
- Semantic analysis: Understands the meaning of code constructs in context, reducing false positives from pattern-only approaches.
How to Get Started with SAST
Various DevSecOps platforms (GitLab, GitHub, etc.) have embedded SAST tools into CI/CD pipelines for scanning code before it is shipped to production. These platforms are designed for ready-to-be-reviewed work. For developers who want immediate feedback while working, running SAST locally brings analysis to the workstation before a single commit is pushed.
Running Semgrep Locally
Semgrep is the most accessible local SAST tool for teams already using GitLab, and works equally well in GitHub-centric workflows. It runs as a standalone CLI with no server dependency.
Installation:
# macOS
brew install semgrep
# Python (cross-platform)
pip install semgrep
# Docker (no local installation required)
docker pull semgrep/semgrep
Basic scan against the OWASP Top 10 rule pack:
semgrep --config "p/owasp-top-ten" /path/to/your/project
A sample output after run:
Tip: Add a semgrep.yml config file at the project root to lock in rule sets and exclusions for team-wide consistency.
Running SAST with GitLab CI/CD
GitLab's approach to SAST is deeply integrated. GitLab runs SAST scans inside Docker containers during the CI pipeline. Each analyzer is a self-contained image that understands one or more languages. Enabling the SAST tool is as straightforward as adding a single include line to the pipeline YAML:
# .gitlab-ci.yml
include:
- template: Security/SAST.gitlab-ci.yml
For further configuration options — including severity thresholds, excluded paths, and custom analyzers — refer to the GitLab SAST documentation.
Running SAST with GitHub Actions CI
GitHub's SAST centers on Code Scanning, powered by CodeQL — a semantic code analysis engine that uses a query-based approach to find vulnerabilities across supported languages in the codebase. You can begin using CodeQL via the Default Setup available on any repository, or generate a full GitHub Actions workflow YAML for customization:
# .github/workflows/codeql.yml
name: "CodeQL Analysis"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: "0 2 * * 1" # Weekly scan on Monday at 2am
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
packages: read
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: javascript-typescript
build-mode: none
- language: python
build-mode: none
- language: java-kotlin
build-mode: autobuild
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended
- name: Build (for compiled languages)
if: matrix.build-mode == 'manual'
run: make build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Integrating Third-Party SAST Tools
Neither GitLab nor GitHub locks teams into their native SAST engines. Both platforms support importing results from external tools via standardized formats. GitLab accepts any tool that outputs a gl-sast-report.json conformant artifact. The GitLab Security Report Schemas are publicly documented, and many third-party tools (Semgrep Cloud, Snyk Code, Checkmarx, Veracode) have built GitLab converters.
GitHub uses the SARIF (Static Analysis Results Interchange Format) standard (OASIS specification). Any tool that produces a SARIF file can upload results to Code Scanning:
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: "custom-sast-tool"
This openness means both platforms can serve as the orchestration and visualization layer for a heterogeneous SAST stack, with CodeQL or Semgrep as the default engine and commercial tools layered on top for higher-value targets.
Conclusion
SAST automation is one of the highest-leverage investments a development organization can make in its security posture. Finding a SQL injection vulnerability in a pull request costs a developer ten minutes. Finding it in production after exploitation costs weeks of incident response, potential regulatory consequences, and erosion of user trust.
GitLab and GitHub have both made SAST a first-class part of their DevSecOps narratives. GitLab's integration with Semgrep gives teams a broad, customizable foundation with excellent pipeline integration. While GitHub's CodeQL delivers exceptional dataflow-based analysis depth for supported languages, backed by the largest vulnerability research community in the world.
The best SAST program is the one developers actually use. Optimize for low friction, clear signal, fast feedback, and an organizational culture that treats security findings as bugs to fix and not compliance checkboxes to dismiss.
Top comments (0)