Integrating SAST into CI/CD Pipelines

2 min read Infrastructure & DevOps Security

Integrating SAST into CI/CD Pipelines

Successful SAST integration requires careful pipeline design to balance security thoroughness with build performance. Full codebase scans can take hours for large applications, making them impractical for every commit. Incremental scanning analyzes only changed code, providing rapid feedback for most commits while periodically running complete scans to catch accumulated issues.

# GitLab CI SAST pipeline configuration example
stages:
  - build
  - test
  - security
  - deploy

variables:
  SAST_EXCLUDED_PATHS: "test/, docs/, vendor/"
  SAST_BANDIT_EXCLUDED_PATHS: "test/, docs/"

# Quick security scan on merge requests
sast-quick:
  stage: test
  only:
    - merge_requests
  script:
    - git diff --name-only origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME > changed_files.txt
    - |
      if grep -E '\.(py|js|java|cs|go)$' changed_files.txt; then
        echo "Running incremental SAST scan on changed files"
        semgrep --config=auto --json -o sast-quick-results.json $(cat changed_files.txt)
        python3 parse_sast_results.py sast-quick-results.json
      fi
  artifacts:
    reports:
      sast: sast-quick-results.json
    expire_in: 1 week

# Comprehensive nightly scan
sast-full:
  stage: security
  only:
    - schedules
  script:
    - echo "Running full SAST scan"
    - |
      # Run multiple SAST tools for comprehensive coverage
      semgrep --config=auto --json -o semgrep-results.json .
      bandit -r . -f json -o bandit-results.json
      gosec -fmt=json -out=gosec-results.json ./...
      
      # Aggregate results
      python3 aggregate_sast_results.py
  artifacts:
    reports:
      sast: aggregated-sast-results.json
    expire_in: 30 days
  timeout: 3 hours

Pipeline placement of SAST scans significantly impacts developer experience. Running basic SAST checks during the commit or pull request phase provides immediate feedback when developers can most easily address issues. More comprehensive scans can run asynchronously, notifying developers of findings without blocking deployment. Critical security gates should fail builds for high-severity vulnerabilities while allowing overrides with proper approval workflows.