SAST
====

We're using `semgrep <https://semgrep.dev/>`_ to do static application security testing (SAST).

SAST Docker image
-----------------

There's a `SAST Docker image <https://git.confirm.ch/confirm/docker-images/sast>`_ which we're using for the tests.

The Docker image can be used to run `semgrep`_ with the official registry rules, but also our custom `SAST rules`_.

SAST rules
----------

The image also includes custom `SAST rules <https://git.confirm.ch/confirm/docker-images/sast/-/tree/master/rules>`_, 
which we're maintaining. 

.. hint::

    Read the `Writing rules <https://semgrep.dev/docs/writing-rules/overview/>`_ chapter of the official documentation,
    to maintain our custom rules.

SAST CI file
------------

While `semgrep`_ is a Python utility, it can be used to test many different languages.

Thus we've created a dedicated `shared sast CI file <https://git.confirm.ch/confirm/gitlab-ci/-/tree/master/sast>`_,
which can be included in all the projects requiring SAST.