SAST (Static Application Security Testing) Setup for Website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

SAST (Static Application Security Testing) Setup for Website

Medium

from 1 business day to 3 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

SAST: Static Application Security Testing

SAST (Static Application Security Testing) analyzes source code without execution — finds vulnerabilities at development stage. SQL injection, XSS, hardcoded secrets, unsafe functions — before reaching production.

SAST Tools

Semgrep — fast, rules for 30+ languages, can write custom rules:

# Installation
pip install semgrep

# Scan with security audit rules
semgrep scan --config=p/security-audit \
             --config=p/owasp-top-ten \
             --config=p/typescript \
             --json > semgrep-results.json

# Custom rule: find direct SQL concatenation
cat > rules/sql-injection.yml << 'EOF'
rules:
  - id: raw-sql-concatenation
    patterns:
      - pattern: |
          "SELECT ... " + $VAR
      - pattern: |
          `SELECT ... ${$VAR}`
    message: "Potential SQL injection: use parameterized queries"
    severity: ERROR
    languages: [typescript, javascript]
EOF

semgrep scan --config=rules/sql-injection.yml src/

GitHub Advanced Security (CodeQL):

# .github/workflows/codeql.yml
name: CodeQL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * 1'  # Weekly

jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read

    strategy:
      matrix:
        language: [javascript-typescript]

    steps:
      - uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          queries: security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Analyze
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{ matrix.language }}"

Secret Scanning

# Gitleaks: find secrets in code and git history
docker run --rm -v $(pwd):/path \
  zricethezav/gitleaks:latest detect \
  --source /path \
  --report-format json \
  --report-path /path/gitleaks-report.json

# truffleHog: analyze git history
trufflehog git file://. --json > secrets-report.json

# GitHub Actions: pre-commit hook for secrets
- name: Check for secrets
  uses: gitleaks/gitleaks-action@v2
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

ESLint Security Plugins

npm install --save-dev eslint-plugin-security \
                       eslint-plugin-no-unsanitized \
                       @microsoft/eslint-plugin-sdl

// .eslintrc.json
{
  "plugins": ["security", "no-unsanitized", "@microsoft/sdl"],
  "extends": [
    "plugin:security/recommended",
    "plugin:@microsoft/sdl/required"
  ],
  "rules": {
    "security/detect-object-injection": "error",
    "security/detect-non-literal-regexp": "warn",
    "security/detect-possible-timing-attacks": "error",
    "no-unsanitized/method": "error",
    "no-unsanitized/property": "error"
  }
}

CI/CD Integration

# .github/workflows/sast.yml
name: SAST

on: [push, pull_request]

jobs:
  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/security-audit
            p/owasp-top-ten
            p/typescript
          auditOn: push
        env:
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

  secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

SAST Rule: don't block PRs on every warning — only on HIGH and CRITICAL. Everything else goes to security debt backlog.

Setting up Semgrep + CodeQL + Gitleaks in CI/CD — 1–2 business days.