Skip to content

Security Testing (SAST / SCA / Secrets)

Static analysis, dependency audit, secrets scan. Pipeline stages — the chain's automated catch for the security ility. Findings classified by severity; high/critical block release; lower findings tracked with remediation dates.

Owners: Tech Lead, Pipeline Owner Phase it lives in: How We Build (Volume IV) The corpus principle this enacts: The pipeline catches a different chain level at each stage.

Where it lives in the chain

The three layers

LayerWhat it checksFindings
SAST (static analysis)Code-level vulnerabilities — injection, unsafe deserialization, hardcoded crypto.Findings tagged by CWE; high/critical block.
SCA (dependency audit)Known CVEs in dependencies.Findings tagged by severity; high/critical block; medium tracked.
Secrets scanTokens, keys, credentials accidentally committed.Any finding blocks. No exceptions. History rewritten if a secret reached main.

How to do this

  • Run on every PR, not just on release. A high finding caught at PR is hours to fix; the same finding caught at release is days, plus rollback risk.
  • Treat warnings as warnings, not as errors. A pipeline that fails on every lint warning trains the team to ignore failures. High/critical block; medium/low track.
  • Update dependencies on a schedule, not on a panic. Quarterly dependency-update PRs, reviewed normally, beat the once-yearly "we have to patch everything before audit" sprint.
  • Re-test after fixes. A finding fixed without re-test is a finding still present.

What good practice looks like

The team treats SAST/SCA/secrets findings as chain-aware feedback, not bureaucratic noise:

  • A repeated finding-class (e.g., "SQL string concatenation in three PRs") is a scenario-gap at the developer's mental model. Fix: add a query-builder layer, train, or add a pre-commit lint that catches it.
  • A repeated dependency CVE is an operational-pattern signal. Fix: automate updates, narrow the dependency tree, switch to maintained alternatives.
  • A secret-in-commit is an integration-gap with the secrets management process. Fix: add a pre-commit hook, train on the secrets workflow, rotate the leaked credential.

The JWT outage was a configuration error, not a SAST finding — but the lesson generalises: security changes deserve the same pipeline rigour as application code. SAST is one half of that rigour.

200apps · How We Work · NWIRE