Static Application Security Testing (SAST)
Maturity Model Level 2
Last updated
Maturity Model Level 2
Last updated
SAST tools analyse the data and control flow of an application. They require manual analysis as they'll find many false positives. SAST tools won't find runtime bugs. SAST should be run on
source code
configuration (linting)
infrastrcuture as code (linting)
docker containers
A good summary of tools is available here: and here
The Bandit is a tool designed to find common security issues in Python code. To do this Bandit, processes each file, builds an AST, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. The project is available at .
Again enter the root folder of our vulnerable app and do
pip3 install bandit
Execute the scan with
bandit -r . -f json > bandit-output.json
You need ruby running on your host machine. Update your system and install Ruby with the following command.
apt update && apt install ruby-full -y
Install brakeman
gem install brakeman
Run the scanner and output the results into a json file
brakeman -f json | tee result.json
You can add a ignorefile to the scan by creating a file with the extension .ignore
nano brakeman.ignore
Example content:
run the scan with the ignorefile:
brakeman -f json -i brakeman.ignore | tee result.json
Secret scanners will analyse the code in search for credentials. Types of secret scanners are
entropy based: look for random data and lacks predictability.
-- catches unknown issues
-- no custom rules
-- needs to be random
-- not always possible
regex based: look for known secrets patterns in code.
-- lots of false positives
-- one can do custom regex
-- catches known issues
Again you execute the command within the root folder of your python web app.
pip3 install trufflehog
trufflehog --json . > secret.json
Test the tool on a golang repo
Install Go on your machine
You should also set the following environment variables
Install Gosec
Run your first scan with
You can ignore findings with
Run the scanner
A tool that runs code quality scans on Python code.
Install it with pip
Run the scanner on .py files in your project folder called myPythonApp
You can output results as json to a file like this
Reduce False Positive
The --generate-rcfile option will generate a commented configuration file on standard output according to the current configuration and exit. Store the content into .pylintrc which is also your ignore file.
Semgrep is a open-source static analysis tool. Rules are easy to understand.
Install it with pip3 install semgrep
The tool has four categories of parameters.
positional arguments: The target of file or directory that we want to scan optional arguments : many optional arguments like include/exclude file/dir to scan
config: configuration to scan the code.
output: The result output.
truflleHog is a tool that searches through git repositories for secrets, digging deep into commit history and branches. This tool is useful in finding the secrets accidentally committed to the repo. You can find more details about the project at .
GoSec allows tatic analysis scans on Golang code. The project is located at
If you don't have go on your machine, make it ready with by installing go by following the instructions at
A tool that runs static analysis scan on a NodeJS code. Download and install it from the project at or install it directly using the python installer