#sast

Scan for security vulnerabilities. Tools: 1. SAST (Snyk, SonarQube) for code analysis. 2. DAST for runtime scanning. 3. Dependency scanning (npm audit, Dependabot). 4. Secret detection (GitGuardian). 5. Container scanning. 6. Infrastructure as Code scanning. Integrate in CI/CD. Fix critical issues immediately. Use OWASP Top 10 as guide. Regular security reviews.

Integrate security testing throughout the DevOps pipeline with Static and Dynamic Application Security Testing tools. SAST (Static Application Security Testing): 1. Code analysis: SonarQube, Checkmarx, Veracode for vulnerability detection during build phase. 2. IDE integration: real-time security feedback, developer education, fix suggestions. 3. Quality gates: fail builds with high/critical vulnerabilities, technical debt thresholds. 4. Custom rules: organization-specific security policies, coding standards enforcement. DAST (Dynamic Application Security Testing): 1. Runtime testing: OWASP ZAP, Burp Suite, Rapid7 for live application scanning. 2. API testing: security testing for REST/GraphQL APIs, authentication bypasses, injection attacks. 3. Automated scanning: nightly security scans, CI/CD integration, baseline comparisons. Security pipeline integration: 1. Shift-left approach: security testing early in development cycle, pre-commit hooks. 2. Container scanning: Twistlock, Aqua Security for image vulnerabilities, base image policies. 3. Infrastructure scanning: Terraform security validation, cloud configuration assessment. Vulnerability management: 1. Risk assessment: CVSS scoring, business impact analysis, patch prioritization. 2. Remediation tracking: SLA for critical vulnerabilities (24 hours), medium vulnerabilities (7 days). 3. Reporting: executive dashboards, trend analysis, security posture metrics. Compliance automation: 1. Policy enforcement: automated compliance checking, violation reporting, audit trails. 2. Evidence collection: automated documentation for SOC 2, PCI DSS, HIPAA audits.