SAST in use

ID

openssf_scorecard/sast_in_use

Severity

low

Category

Levels

Optional

false

Tags

security, supply-chain, testing

Description

Does the project use static code analysis tools?

This check tries to determine if the project uses Static Application Security Testing (SAST), also known as static code analysis.

Reference: OpenSSF Scorecard - SAST.

Rationale

SAST is analyzing source code before the software is run. This means that the source code can be checked for bugs before it is integrated or complete and ready for delivery.

Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. Many SAST tools are specialized in catching security flaws; while others are more generic and look for generic defects in source code and configurations.

Lack of SAST increase the risk of unknown bugs (and security vulnerabilities for the security-focused tools) in the delivered software.

Verification

The check looks for execution of known SAST tools in the recent merged PRs, or the usage of these tools in CI workflows.

Remediation

  • Run SAST tool(s) in your CI/CD workflow. Run early and often such tools to catch bugs or security flaws.

Follow the instructions of the particular SAST tool for invocation in the project’s CI workflows.

Small Print

There are many SAST tools and ways of invoking them, and it is challenging for an automated tool to detect them all. A FAIL result is therefore not a definitive indication that the project is at risk.