_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

SAST Tools — Static Code Analysis

01. 08. 2019 1 min read intermediate

SAST analyzes source code and finds security flaws before deployment. SQL injection, XSS, hardcoded secrets — all caught in CI/CD.

Semgrep — fast and flexible

Installation and run

pip install semgrep semgrep –config auto . semgrep –config p/owasp-top-ten .

Custom rule

rules: - id: sql-injection patterns: - pattern: cursor.execute(f”… {$VAR} …”) message: “Possible SQL injection” severity: ERROR

SonarQube

Docker

docker run -d –name sonar -p 9000:9000 sonarqube:lts

Scanner

sonar-scanner -Dsonar.projectKey=myapp -Dsonar.sources=src

CI/CD integration

GitHub Actions

  • name: Semgrep uses: semgrep/semgrep-action@v1 with: config: p/ci

Key Takeaway

Semgrep for fast scanning, SonarQube for comprehensive quality gates. Integrate into CI/CD — block merge on findings.

securitysastdevsecopsci/cd
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

DevSecOps — Security in Every Step of the CI/CD Pipeline

Security as an afterthought is expensive. How we integrated SAST, DAST, dependency scanning, and compliance checks...

DevSecOps and Shift Left — Security from the First Line of Code

How we integrated security into CI/CD pipeline. SAST, DAST, dependency scanning and security champions.

Security audit checklist

Complete security audit checklist for web applications and infrastructure.