Skip to main content
    DevOps
    Way of Working
    1. Home
    3. Capabilities
    5. Code Sast Advanced

    Advanced SAST Integration

    Acceleration
    Phase: code
    CFR
    LT

    Quick Reference

    Phase
    code
    Epic
    Secure Code & Advanced Review
    Milestone
    Acceleration
    Target
    100% PRs scanned, MEDIUM+ blocks
    Implementation Time
    Part of Secure Code & Advanced Review epic: 4 weeks (30 hours per capability avg)

    What & Why

    Definition

    100% of PRs scanned with SAST (Semgrep, SonarQube) blocking >= MEDIUM issues, custom rules for org-specific patterns.

    Business Value

    Detects security vulnerabilities 10x earlier (development vs production) and reduces critical security findings by 80% through shift-left security scanning Achieving 100% PRs scanned, MEDIUM+ blocks is a key milestone toward this goal.

    Context

    This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

    Success Criteria

    Target

    100% PRs scanned, MEDIUM+ blocks

    Measurement

    SAST scan execution rate + block rate

    Evidence

    • SAST config with custom rules
    • Scan result dashboards
    • False positive tracking

    In Practice

    Real-World Implementation

    Teams run Semgrep with org-custom rules: detect hardcoded secrets, insecure deserialization, SQL injection. MEDIUM+ findings block merge.

    Concrete Example

    PR #567 SAST scan: Found MEDIUM issue: 'Use of eval() detected'. PR blocked. Developer refactors using JSON.parse(). Rescan passes.

    Implementation Guide

    Prerequisites

    Automated Security Scanning
    100% builds scanned, HIGH+ blocks merge

    Implementation Steps

    Follow the measurement approach: SAST scan execution rate + block rate

    For detailed step-by-step guidance, refer to the Secure Code & Advanced Review Implementation Kit.

    Resources

    Implementation Kit

    Secure Code & Advanced Review Kit

    Templates

    Browse all templates

    Related Resources

    View learning paths

    Related Capabilities

    Prerequisites

    Implement these first

    Automated Security Scanning

    Enables

    What this unlocks

    LLM-Powered Security Analysis

    Complementary

    Often adopted together, from the Secure Code & Advanced Review epic

    Secure Coding Training Enforcement
    Dependency Security Policy
    Secrets Rotation Enforcement
    Supply Chain Verification

    Troubleshooting & FAQs

    Common Issues

    Issue: Target metric not improving

    Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

    Issue: Team resistance to adoption

    Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

    Issue: Inconsistent implementation across teams

    Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

    Frequently Asked Questions

    Can we implement this before completing prerequisites?

    While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

    How long does implementation typically take?

    Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

    DevOps
    Way of Working

    DevOps practices for the entire delivery lifecycle

    © 2019-2026 devopswow.com. Created by Burhan Öcüt

    PartnersAboutPrivacyTermsCookies