Today, we'd like to share with you our full video from the webinar 'Integrating SAST into DevSecOps'.
About speaker
Anton Tretyakov, an experienced DevOps engineer at PVS-Studio who builds and maintains the static analyzer infrastructure. He also writes about C++ in his spare time. During the webinar, Anton shares his insights on modernizing code security, seamlessly integrating static analysis tools into security workflows, and optimizing existing pipelines.
Key points
What is SAST?
Static application security testing (SAST) is a security check that automatically analyzes your code for errors and weak points without executing it. Unlike regular static analysis, a SAST tool detects potential vulnerabilities, not regular bugs.
Bugs vs Vulnerabilities
It's impossible to predict whether a bug will affect a program's behavior. A bug becomes a potential vulnerability when possible consequences of its presence in the source code are clearly defined. A potential vulnerability turns into a real one when it slips into real software and is exploited by a malicious user.
How does SAST work?
A SAST tool automates the tedious process of manually looking through every code line. To do this, it uses a syntax tree containing all the variables in a program. It scans the code for errors and issues a warning when it detects a flaw or potential undefined behavior that may harm the application.
How to integrate SAST into DevSecOps?
Early detection reduces the cost of fixing an error, so it is crucial to integrate a SAST tool into the development workflow as early as possible.
To check code, a SAST tool needs only a compilable project. Compared to other usual checks in a pipeline, static analysis provides comprehensive coverage of the whole program codebase. It works best when used together with other tests and checks.
Here's an example of how you can integrate static analysis into your pipeline:
build the project > pass credentials to the analyzer > run the analysis > get the analyzer report > extract metrics information from the report > export the metrics file to the Merge Request > move on to other development stages.
How to use SAST on legacy code
Static analysis detects various types of errors and can be used as the quality gate mechanism. When you work on a big project that also contains legacy code, you can see thousands of warnings issued by the analyzer. Sifting through them all is a really time-consuming and tedious task. This is where the one-direction approach comes into play.
Learn more: How to introduce a static code analyzer in a legacy project and not to discourage the team
How to use SAST as quality gate
PVS-Studio static analyzer allows running the analysis for the first time to save issued warnings in your database. Regularly check your project so that the tool can determine whether any changes have occurred. If the number of warnings increases, the changes to the repository are denied.
Learn more: Static analysis for pull requests. Another step towards regularity.
Want more?
That's only a part of the whole content that was covered during the session. If you want to learn more and see the whole webinar and look closer at slides, follow the link: Integrating SAST into DevSecOps.
You can also sign up for our upcoming webinars, for example: Let's make a programming language. Lexer. During the webinar, the speaker will walk you through how a lexer is actually implemented in code.
We hope to see you there!
Top comments (0)