Quality & Testing · master area
Security Testing (SAST / SCA / Secrets)
Static analysis, dependency audit, secrets scan. Pipeline stages — the chain's automated catch for the security ility. Findings classified by severity; high/critical block release; lower findings tracked with remediation dates.
Owners: Tech Lead, Pipeline Owner Phase it lives in: How We Build (Volume IV) The corpus principle this enacts: The pipeline catches a different chain level at each stage.
Where it lives in the chain
- How We Build · The Pipeline · seven stages — security testing is its own stage
The three layers
| Layer | What it checks | Findings |
|---|---|---|
| SAST (static analysis) | Code-level vulnerabilities — injection, unsafe deserialization, hardcoded crypto. | Findings tagged by CWE; high/critical block. |
| SCA (dependency audit) | Known CVEs in dependencies. | Findings tagged by severity; high/critical block; medium tracked. |
| Secrets scan | Tokens, keys, credentials accidentally committed. | Any finding blocks. No exceptions. History rewritten if a secret reached main. |
How to do this
- Run on every PR, not just on release. A high finding caught at PR is hours to fix; the same finding caught at release is days, plus rollback risk.
- Treat warnings as warnings, not as errors. A pipeline that fails on every lint warning trains the team to ignore failures. High/critical block; medium/low track.
- Update dependencies on a schedule, not on a panic. Quarterly dependency-update PRs, reviewed normally, beat the once-yearly "we have to patch everything before audit" sprint.
- Re-test after fixes. A finding fixed without re-test is a finding still present.
What good practice looks like
The team treats SAST/SCA/secrets findings as chain-aware feedback, not bureaucratic noise:
- A repeated finding-class (e.g., "SQL string concatenation in three PRs") is a scenario-gap at the developer's mental model. Fix: add a query-builder layer, train, or add a pre-commit lint that catches it.
- A repeated dependency CVE is an operational-pattern signal. Fix: automate updates, narrow the dependency tree, switch to maintained alternatives.
- A secret-in-commit is an integration-gap with the secrets management process. Fix: add a pre-commit hook, train on the secrets workflow, rotate the leaked credential.
The JWT outage was a configuration error, not a SAST finding — but the lesson generalises: security changes deserve the same pipeline rigour as application code. SAST is one half of that rigour.