PENALGO

Giao diện

Static Analysis (SAST) Setup

1. Purpose

Shift Left. Find bugs while the Dev is writing code, not 6 months later in Production. SAST grep patterns for known bad functions (eval(), strcpy) and data flow issues.

2. When to Use / When Not to Use

Use This Workflow When

  • New Repo setup.
  • Enforcing coding standards across org.
  • Meeting compliance (PCI-DSS requires code review).

Do NOT Use This Workflow When

  • Scanning binary blobs (Use AV).
  • You expect 100% accuracy (SAST is noisy). Functional bugs? (Use Unit Tests).

3. Inputs

Required Inputs

  • [[REPO_URL]]: Git Repository.
  • [[SAST_TOOL]]: SonarQube, Semgrep, GitHub CodeQL.
  • [[CI_PLATFORM]]: GitHub Actions, GitLab CI, Jenkins.

4. Outputs

  • Pipeline Job: Runs on every PR.
  • Quality Gate: Blocks Merge if Critical Issue count > 0.

5. Preconditions

  • CI Platform access.
  • Token for SAST Dashboard (if using SonarQube).

6. Procedure

Phase 1: Local Config

  1. Action: Define Rules.

    • Expected Output: sonar-project.properties or .semgrep.yml.
    • Notes: Disable "Code Smell" rules initially to reduce noise. Focus on "Security Hotspots" and "Vulnerabilities".

  2. Action: Local Run.

    • Expected Output: Run scanner locally to establish baseline.

Phase 2: Pipeline Integration

  1. Action: Update CI Yaml.

    • Expected Output: Add "Security Scan" stage after "Build" and before "Deploy".
    • Notes: Ensure it fails the build on error (fail-fast).

  2. Action: PR Decoration.

    • Expected Output: Tool comments directly on the problematic line in the Pull Request.

Phase 3: Baseline & Tuning

  1. Action: Mark False Positives.
    • Expected Output: Mark "Won't Fix" in dashboard.
    • Notes: Don't let the first run block everyone. Set the baseline. Only new issues block.

7. Quality Gates

  • [ ] Scan Speed: Scan completes in < 10 mins (Optimization needed if longer).
  • [ ] Gate Enforcement: PR cannot merge with new Criticals.
  • [ ] Coverage: Scans source code, ignores tests/ and vendor/.

8. Failure Handling

Pipeline Timeout

  • Symptoms: Scan hangs on large repo.
  • Recovery: Exclude large binary assets or minified JS. Increase CI timeout. Use "Incremental Scan" (Analyze new code only).

Too Much Noise

  • Symptoms: Devs ignore 1000 warnings.
  • Recovery: Turn off low-severity rules. Focus only on OWASP Top 10 High confidence rules.

9. Paste Prompt

TIP

One-Click Agent Invocation Copy the prompt below, replace placeholders, and paste into your agent.

text
Role: Act as a DevSecOps Engineer.
Task: Execute the SAST Integration workflow.

## Objective
Integrate [[SAST_TOOL]] into [[CI_PLATFORM]] for [[REPO_URL]].

## Inputs
- **Rules**: Security-focused (OWASP).

## Procedure
Execute the following phases:

1. **Config**:
   - Create config file (exclusions, rule selection).
   - Ignore `node_modules` and `tests`.

2. **CI**:
   - Add Job to Pipeline.
   - Configure Auth Token secrets.
   - Enable PR Comments/Decoration.

3. **Gate**:
   - Define Failure Condition (New Critical Vulnerabilities > 0).

## Quality Gates
- [ ] Build fails on critical security issue.
- [ ] Scan time optimized (<10m).
- [ ] Baseline established (Existing tech debt doesn't block).

## Constraints
- Output: YAML Pipeline Config.
- Tool: [[SAST_TOOL]].

## Command
Write the CI step configuration.

Cập nhật lần cuối:

Professional Engineering Standards | © 2025 HPN Corporation