Owasp-Zap on Adurhttps://adurrr.github.io/en/tags/owasp-zap/Recent content in Owasp-Zap on AdurHugo -- gohugo.ioenSun, 12 May 2024 00:00:00 +0000SAST/DAST integration in CI/CD pipelineshttps://adurrr.github.io/en/p/sast/dast-integration-in-ci/cd-pipelines/Sun, 12 May 2024 00:00:00 +0000https://adurrr.github.io/en/p/sast/dast-integration-in-ci/cd-pipelines/<h2 id="sast-vs-dast-understanding-the-difference">SAST vs DAST: Understanding the Difference </h2><p>Application security testing has two fundamental approaches, and knowing when to use each matters for your security posture.</p> <p><strong>SAST (Static Application Security Testing)</strong> reads source code, bytecode, or binaries without running the app. It looks for patterns that match known vulnerabilities (SQL injection, XSS, hardcoded credentials, insecure deserialization). Think of it like a security linter that flags dangerous patterns.</p> <p><strong>DAST (Dynamic Application Security Testing)</strong> tests a <em>running application</em> by sending crafted requests and analyzing responses. It simulates what an attacker would do: probe endpoints, test authentication, look for misconfigurations. DAST sees the app from outside, like a real attacker would.</p> <table> <thead> <tr> <th>Aspect</th> <th>SAST</th> <th>DAST</th> </tr> </thead> <tbody> <tr> <td>When it runs</td> <td>Build time, on source code</td> <td>Runtime, against deployed app</td> </tr> <tr> <td>What it finds</td> <td>Code flaws, hardcoded secrets, insecure patterns</td> <td>Runtime vulnerabilities, misconfigurations, auth issues</td> </tr> <tr> <td>False positive rate</td> <td>Higher (no runtime context)</td> <td>Lower (tests real behavior)</td> </tr> <tr> <td>Language dependency</td> <td>Yes (needs language-specific rules)</td> <td>No (tests HTTP/API layer)</td> </tr> <tr> <td>Coverage</td> <td>All code paths (including dead code)</td> <td>Only reachable endpoints</td> </tr> <tr> <td>Speed</td> <td>Fast (seconds to minutes)</td> <td>Slower (minutes to hours)</td> </tr> <tr> <td>Best stage</td> <td>Every commit/PR</td> <td>Staging or pre-production</td> </tr> </tbody> </table> <p>Short answer: <strong>use both</strong>. SAST catches problems early and cheap. DAST catches problems that only show up at runtime. They complement each other.</p> <h2 id="tool-comparison">Tool comparison </h2><h3 id="sast-tools">SAST tools </h3><table> <thead> <tr> <th>Tool</th> <th>Languages</th> <th>Strengths</th> <th>License</th> </tr> </thead> <tbody> <tr> <td><strong>Semgrep</strong></td> <td>30+ languages</td> <td>Fast, custom rules, great CI integration</td> <td>OSS + Commercial</td> </tr> <tr> <td><strong>SonarQube</strong></td> <td>25+ languages</td> <td>Broad ecosystem, quality gates, dashboard</td> <td>Community + Commercial</td> </tr> <tr> <td><strong>Bandit</strong></td> <td>Python only</td> <td>Python-specific, lightweight, easy setup</td> <td>OSS (Apache 2.0)</td> </tr> <tr> <td><strong>CodeQL</strong></td> <td>10+ languages</td> <td>Deep semantic analysis, GitHub native</td> <td>Free for OSS</td> </tr> </tbody> </table> <h3 id="dast-tools">DAST tools </h3><table> <thead> <tr> <th>Tool</th> <th>Type</th> <th>Strengths</th> <th>License</th> </tr> </thead> <tbody> <tr> <td><strong>OWASP ZAP</strong></td> <td>Proxy-based scanner</td> <td>Full-featured, scriptable, community rules</td> <td>OSS (Apache 2.0)</td> </tr> <tr> <td><strong>Burp Suite</strong></td> <td>Proxy-based scanner</td> <td>Best-in-class manual + automated testing</td> <td>Commercial</td> </tr> <tr> <td><strong>Nuclei</strong></td> <td>Template-based scanner</td> <td>Fast, huge template library, CI-friendly</td> <td>OSS (MIT)</td> </tr> </tbody> </table> <p>For most teams, <strong>Semgrep + OWASP ZAP</strong> provides an excellent open-source foundation that covers both SAST and DAST without licensing costs.</p> <h2 id="gitlab-ci-pipeline-integration">GitLab CI pipeline integration </h2><p>Here is a complete <code>.gitlab-ci.yml</code> example that integrates both SAST and DAST into a pipeline with proper gating:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">dast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEMGREP_RULES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;p/owasp-top-ten p/security-audit&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ZAP_TARGET_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://staging.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- SAST Stage ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">semgrep-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">semgrep/semgrep:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> # Fail pipeline if high/critical findings exceed threshold </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_COUNT=$(cat semgrep-results.json | jq &#39;[.results[] | select(.extra.severity == &#34;ERROR&#34;)] | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;High severity findings: $HIGH_COUNT&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_COUNT&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Pipeline blocked: $HIGH_COUNT high severity findings&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">bandit-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">python:3.11-slim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">pip install bandit</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">bandit -r src/ -f json -o bandit-results.json --severity-level medium || true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_COUNT=$(cat bandit-results.json | jq &#39;.results | map(select(.issue_severity == &#34;HIGH&#34;)) | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Bandit high severity findings: $HIGH_COUNT&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_COUNT&#34; -gt 3 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">bandit-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">only</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">merge_requests</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- Deploy Staging ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">deploy-staging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">echo &#34;Deploying to staging...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./deploy.sh staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://staging.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- DAST Stage ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">owasp-zap-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">dast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/zaproxy/zaproxy:stable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">mkdir -p /zap/wrk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> zap-full-scan.py \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -t &#34;$ZAP_TARGET_URL&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -r zap-report.html \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -J zap-results.json \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -l WARN \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -d</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> # Parse results and enforce policy </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_ALERTS=$(cat zap-results.json | jq &#39;[.site[].alerts[] | select(.riskcode == &#34;3&#34;)] | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;High risk alerts: $HIGH_ALERTS&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_ALERTS&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Pipeline blocked: $HIGH_ALERTS high risk vulnerabilities found&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">zap-report.html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">zap-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependencies</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- Deploy Production ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">deploy-production</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">deploy-production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">echo &#34;Deploying to production...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./deploy.sh production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">manual</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">only</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">main</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The key design decisions in this pipeline:</p> <ul> <li><strong>SAST runs on every merge request</strong>, catching issues before code merges</li> <li><strong>DAST runs against staging</strong>, testing the deployed application</li> <li><strong>Thresholds are configurable</strong>: zero tolerance for high/critical SAST findings, but some flexibility for lower severities</li> <li><strong>Reports are always saved as artifacts</strong>, even when the pipeline passes</li> <li><strong>Production deploy is manual</strong>, gated behind both SAST and DAST stages</li> </ul> <h2 id="handling-false-positives">Handling False Positives </h2><p>False positives are the number one reason teams abandon security scanning. Handle them systematically:</p> <h3 id="for-semgrep">For Semgrep </h3><p>Create a <code>.semgrepignore</code> file or use inline annotations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># nosemgrep: python.lang.security.audit.hardcoded-password</span> </span></span><span class="line"><span class="cl"><span class="n">DEFAULT_TEST_PASSWORD</span> <span class="o">=</span> <span class="s2">&#34;test123&#34;</span> <span class="c1"># Only used in test fixtures</span> </span></span></code></pre></td></tr></table> </div> </div><p>For persistent false positives, create a <code>semgrep-exclusions.yml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">ignore-test-passwords</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span><span class="l">$X = &#34;...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">tests/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">fixtures/</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="for-owasp-zap">For OWASP ZAP </h3><p>Use a context file to exclude known false positives:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;alertFilter&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;ruleId&gt;</span>10038<span class="nt">&lt;/ruleId&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;url&gt;</span>https://staging.example.com/api/health<span class="nt">&lt;/url&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;urlIsRegex&gt;</span>false<span class="nt">&lt;/urlIsRegex&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;enabled&gt;</span>true<span class="nt">&lt;/enabled&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;newRisk&gt;</span>-1<span class="nt">&lt;/newRisk&gt;</span> <span class="c">&lt;!-- -1 = False Positive --&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/alertFilter&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>The golden rule: <strong>every suppression must include a justification comment</strong> explaining why it is safe to ignore. Review suppressions quarterly.</p> <h2 id="threshold-and-gate-policies">Threshold and Gate Policies </h2><p>Define clear policies per environment and severity:</p> <table> <thead> <tr> <th>Severity</th> <th>PR/MR Gate</th> <th>Main Branch Gate</th> <th>Pre-Production</th> </tr> </thead> <tbody> <tr> <td>Critical</td> <td>Block</td> <td>Block</td> <td>Block</td> </tr> <tr> <td>High</td> <td>Block</td> <td>Block</td> <td>Warn</td> </tr> <tr> <td>Medium</td> <td>Warn</td> <td>Warn</td> <td>Info</td> </tr> <tr> <td>Low</td> <td>Info</td> <td>Info</td> <td>Info</td> </tr> </tbody> </table> <p>Implement these as exit codes in your CI scripts. Start permissive and tighten over time &ndash; blocking on everything from day one will create frustration and workarounds.</p> <h2 id="reporting-and-dashboards">Reporting and Dashboards </h2><p>Aggregate results from both SAST and DAST into a centralized view:</p> <ul> <li><strong>DefectDojo</strong>: open-source vulnerability management platform that ingests reports from Semgrep, ZAP, Bandit, and dozens of other tools</li> <li><strong>GitLab Security Dashboard</strong>: native integration if you are on GitLab Ultimate</li> <li><strong>Custom dashboards</strong>: push scan results to Elasticsearch and visualize in Grafana</li> </ul> <p>Track these metrics over time:</p> <ul> <li>Mean time to remediate (MTTR) per severity</li> <li>Total open vulnerabilities by age</li> <li>False positive rate (suppressions vs total findings)</li> <li>Scan coverage (percentage of repos with security scanning enabled)</li> </ul> <h2 id="iast-as-a-complement">IAST as a Complement </h2><p><strong>IAST (Interactive Application Security Testing)</strong> combines elements of both SAST and DAST by instrumenting the application at runtime. An agent runs inside the application during testing, correlating HTTP requests with code execution paths.</p> <p>IAST tools like Contrast Security and Datadog Application Security provide:</p> <ul> <li>Lower false positive rates than SAST</li> <li>Code-level context that DAST lacks</li> <li>Real-time feedback during QA testing</li> </ul> <p>Consider IAST as a third layer once SAST and DAST are mature in your pipeline.</p> <h2 id="practical-rollout-strategy">Practical Rollout Strategy </h2><p>Deploying security scanning organization-wide requires phases:</p> <h3 id="phase-1-visibility-weeks-1-4">Phase 1: Visibility (Weeks 1-4) </h3><ul> <li>Enable SAST in CI with <code>allow_failure: true</code> (don&rsquo;t block)</li> <li>Generate reports, keep as artifacts</li> <li>Find top vulnerability categories</li> <li>Establish baseline metrics</li> </ul> <h3 id="phase-2-selective-gating-weeks-5-8">Phase 2: Selective Gating (Weeks 5-8) </h3><ul> <li>Block only critical/high SAST findings</li> <li>Add DAST scans to staging for key apps</li> <li>Create suppression and triage workflows</li> <li>Train developers how to interpret and fix findings</li> </ul> <h3 id="phase-3-full-integration-weeks-9-12">Phase 3: Full Integration (Weeks 9-12) </h3><ul> <li>Enforce SAST gates everywhere</li> <li>Enforce DAST gates on all web apps</li> <li>Integrate with vulnerability management platform</li> <li>Auto-create tickets for findings</li> </ul> <h3 id="phase-4-continuous-improvement-ongoing">Phase 4: Continuous Improvement (Ongoing) </h3><ul> <li>Write custom Semgrep rules for your patterns</li> <li>Tune ZAP policies to reduce scan time</li> <li>Track MTTR, set improvement targets</li> <li>Quarterly reviews of false positives</li> </ul> <p>Biggest mistake: jumping straight to Phase 3. Start with visibility, build trust, tighten gradually. Scanning should help, not block.</p>