SAST and DAST
5 min read Quiz at the end
SAST scans source code (Bandit, Semgrep); DAST tests running apps (OWASP ZAP) — run both in CI/CD.
SAST and DAST Security Testing
# SAST -- Static Application Security Testing
# Analyses source code without running it
# Bandit (Python)
pip install bandit
bandit -r ./src -ll # scan for medium+ severity
bandit -r ./src -f json -o bandit_report.json
# Semgrep (multi-language)
pip install semgrep
semgrep --config=auto ./src # use curated rules
semgrep --config=p/security-audit ./src
# PHP CodeSniffer with security rules
# npm audit (Node.js dependencies)
# GoSec (Go), SpotBugs (Java)
# DAST -- Dynamic Application Security Testing
# Tests running application like an attacker
# OWASP ZAP
docker run -t owasp/zap2docker-stable zap-baseline.py
-t https://staging.myapp.com -r zap_report.html
# Nikto web scanner
nikto -h https://myapp.com
# CI/CD integration
# .github/workflows/security.yml
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pip install bandit semgrep
- run: bandit -r . -ll
- run: semgrep --config=auto .