Does the project use a static code analysis tool?

ID

esf_s3c_dev/sast_in_use

Severity

low

Category

Levels

Optional

false

Tags

SSDF-PO.3.1, security, supply-chain, testing

Description

Does the project use a static code analysis tool?

Before the integration of third-party components, each component must be evaluated for the potential security risk that might be associated with it. The evaluation includes reviewing and testing the software.

This check tries to determine if the project uses Static Application Security Testing (SAST), also known as static code analysis.

Reference: ESF SECURING THE SOFTWARE SUPPLY CHAIN. Recomended Practices for Developers (2.3.2).

Rationale

SAST/DAST and other appropriate review such as composition analysis must be performed to determine if the risk is acceptable. Once determined, the source code (not binaries alone) should be integrated into the build environment allowing the security scanning processes of the build environment approved by the organization to take place. Whenever possible, images should be built from the source and not downloaded from the internet, unless there is an understanding of the provenance and trust of delivery.

Lack of SAST increase the risk of unknown bugs (and security vulnerabilities for the security-focused tools) in the delivered software.

Verification

The check looks for execution of known SAST tools in the recent merged PRs, or the usage of these tools in CI workflows.

Remediation

  • Run SAST tool(s) in your CI/CD workflow. Run early and often such tools to catch bugs or security flaws.

Follow the instructions of the particular SAST tool for invocation in the project’s CI workflows.

Small Print

There are many SAST tools and ways of invoking them, and it is challenging for an automated tool to detect them all. A FAIL result is therefore not a definitive indication that the project is at risk.