Skip to main content

Static Application Security Testing - SAST

Static Application Security Testing (SAST) is a security testing practice that analyzes source code or binaries for potential vulnerabilities without executing the application. It is a crucial process for identifying and addressing security risks early in the software development lifecycle (SDLC).

With Harness Security Testing Orchestration (STO), you can easily perform SAST using a wide range of integrated scanners. STO also applies its own features, such as results normalization, the deduplication of findings from various scanners, and formatting results to make them actionable.

Set up SAST scanning with Harness STO

You can use any of the integrated scanners that perform SAST scanning, or you can leverage the Harness STO Built-in Scanner workflow. The Built-in Scanner step enables you to set up scans without the need for paid licenses or complex configurations. Currently, the Built-in Scanner uses Semgrep, and adding it via the SAST step automatically integrates Semgrep into your pipeline with everything configured. Alternatively, follow the specific integration guides linked below for detailed configuration steps.

Supported Scanners for SAST

Below is the list of supported SAST scanners in Harness STO:

  1. Bandit
  2. Black Duck (by Synopsys)
  3. Brakeman
  4. Checkmarx
  5. Coverity
  6. CodeQL
  7. FOSSA
  8. Mend (formerly known as WhiteSource)
  9. Semgrep
  10. Snyk
  11. SonarQube
  12. Veracode
  13. Wiz

If the scanner you use for SAST scanning is not listed, you can explore additional scanners that are compatible with the Custom Scan step. If the Custom Scan step does not support the scanner you need, you can use the Custom Ingestion step to ingest and process your scan results.

Next steps

After running a security scan, you can take the following actions: