View on Github
Vulnerability Scanning — SAST

Vulnerability Scanning — SAST #

Control ID: SDLC-CTRL-0020 | Type: Preventive

Summary #

Static Application Security Testing (SAST) analyses application source code to identify security vulnerabilities, coding flaws, and insecure patterns before software is deployed.

Mitigates Risk

SDLC-RISK-0001:
Supply Chain Compromise
SDLC-RISK-0005:
Vulnerable Software in Production

Description #

Static Application Security Testing (SAST) examines an application’s source code without executing the program. By analysing code paths, data flows, and control flows, SAST tools detect categories of vulnerability such as injection flaws, insecure cryptographic usage, and other coding errors. Because SAST operates on the code itself, it can identify issues very early in the development lifecycle — often at the point a developer opens a pull request — making remediation faster and cheaper than finding defects in later stages.

Embedding SAST into the CI/CD pipeline provides continuous assurance that code meets secure coding standards and supports audit evidence of proactive security testing.

Requirements #

  • SAST MUST be performed against application source code as part of the CI/CD pipeline
  • SAST MUST be automated — manual-only code analysis is not sufficient as a primary control
  • Findings MUST be classified by severity and tracked to resolution
  • SAST scan results MUST be recorded as attestations linked to the artefact
  • SAST MUST cover all languages and frameworks in active use

How we implement this control #

  • We use Snyk Code to perform static analysis on our source code in CI/CD pipelines
  • SAST scan results are recorded as attestations in our Kosli Flows
  • We control that no artefact with missing or failed SAST scans runs in production

Compliance Frameworks #

NIST SP 800-53 Rev. 5
  • RA-5 — Vulnerability monitoring and scanning — SAST is a primary method for identifying vulnerabilities in application source code.
  • SA-11 — Developer testing and evaluation — requires security testing as part of the development process.
  • SA-15 — Development process, standards, and tools — mandates use of security analysis tools in the development pipeline.
  • SI-2 — Flaw remediation — findings from SAST scans must be triaged and remediated.
  • SI-7 — Software, firmware, and information integrity — SAST detects coding flaws that could compromise software integrity.
SOC 2 Type II
  • CC7.1 — Requires detection of vulnerabilities in system components; SAST identifies security flaws in source code before deployment.
  • CC8.1 — Requires changes to be tested; SAST is a required gate in the change management pipeline to prevent vulnerable code from reaching production.
The Secure SDLC Process Template is maintained by
© Kosli 2026, all rights reserved
CCPA Do not sell my info