Skip to main content

SAST and DAST Pipeline Integration

How to combine static and dynamic analysis in automated pipelines with sensible quality gates and developer workflows.


SAST and DAST Pipeline Integration

When to use each

TechniqueWhen it runsBest for
SASTOn every PR / buildCode flaws, injection patterns, misconfig in source
DASTPost-deploy to stagingRuntime behavior, auth flows, exposed endpoints
IaC scanTerraform/K8s PRsCloud misconfiguration before apply

SAST integration pattern

# Example GitHub Actions stage security-sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run SonarQube scan run: sonar-scanner -Dsonar.projectKey=my-service - name: Fail on quality gate run: ./scripts/check-sonar-gate.sh

Quality gate recommendations

  • Block merge on: SQL injection, hardcoded secrets, critical CVEs in direct dependencies
  • Warn only on: code smells, duplication spikes, medium-severity style issues

DAST integration pattern

Run DAST against a disposable staging environment with test credentials:

  1. Deploy candidate build to staging
  2. Run authenticated crawl with OWASP ZAP or Burp automation
  3. Export SARIF to defect tracker
  4. Compare delta vs baseline (avoid alert fatigue)

Reducing false positives

  1. Maintain an accepted-risk register with expiry dates
  2. Tune rules per service (API vs batch vs frontend)
  3. Correlate SAST + dependency + runtime signals before paging on-call

Research note

Teams that run SAST on every PR and DAST on release candidates report 40–60% fewer emergency production patches for OWASP Top 10 classes when findings are routed to the same backlog as functional bugs.