SAST#

We’re using semgrep to do static application security testing (SAST).

SAST Docker image#

There’s a SAST Docker image which we’re using for the tests.

The Docker image can be used to run semgrep with the official registry rules, but also our custom SAST rules.

The image also includes custom SAST rules, which we’re maintaining.

Hint

Read the Writing rules chapter of the official documentation, to maintain our custom rules.

While semgrep is a Python utility, it can be used to test many different languages.

Thus we’ve created a dedicated shared sast CI file, which can be included in all the projects requiring SAST.