SAST and SCA - CODE

Now let's move on to the coding section of the CI/CD life cycle.

Static Application Security Testing (SAST) - Examines source code to identify weaknesses that can lead to security vulnerabilities. Think of it as a source code review and testing off the source code itself.

Software Composition Analysis (SCA) is quite different. This is a process that looks at the open-source components that make up your software and checks all of these components against known vulnerabilities.

⭕ Features of SAST

▪ Reads source code

▪ Language-specific scanner

▪ False positives

▪ Fast and automated

▪ Finds weaknesses early

NIST list of source code security analyzers

https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html