SAST in use

Does the project use static code analysis tools?

This check tries to determine if the project uses Static Application Security Testing (SAST), also known as static code analysis.

SAST is analyzing source code before the software is run. This means that the source code can be checked for bugs before it is integrated or complete and ready for delivery.

Using SAST tools can prevent known classes of bugs from being inadvertently introduced in the codebase. Many SAST tools are specialized in catching security flaws; while others are more generic and look for generic defects in source code and configurations.

Lack of SAST increase the risk of unknown bugs (and security vulnerabilities for the security-focused tools) in the delivered software.

The check looks for execution of known SAST tools in the recent merged PRs, or the usage of these tools in CI workflows.

Follow the instructions of the particular SAST tool for invocation in the project’s CI workflows.