Integrating SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) into your CI/CD pipelines is a foundational requirement of the Compliance Framework Control 1-6-3 — it ensures code and runtime vulnerabilities are detected, tracked, and remediated as part of normal development workflows rather than after release.
Understand the requirement and how SAST and DAST complement each other
SAST analyzes source code, bytecode, or compiled artifacts to find insecure coding patterns (SQL injection, hardcoded secrets, insecure deserialization) early in development; DAST tests a running application to find runtime flaws (auth bypass, insecure headers, XSS, logic flaws). Compliance Framework Control 1-6-3 expects evidence that both categories of testing are performed automatically and that results feed into triage and remediation processes — meaning you must both run scans and retain artifacts, dashboards, and tickets proving remediation activity.
Practical integration steps for CI/CD
Start by adding SAST to pull-request and merge pipelines and DAST to pre-production/staging deployment pipelines. A typical implementation path: (1) run a lightweight SAST on PRs (fast checks like Semgrep rules or SonarCloud incremental scan); (2) block merges for flagged high/critical SAST findings or require a documented exemption; (3) deploy the merge to an isolated staging environment automatically; (4) run authenticated DAST (OWASP ZAP, Burp Enterprise, or open-source scanners) against staging; (5) collect reports, auto-create issues for high/critical items, and publish artifacts so an auditor can verify scans ran.
Example GitHub Actions snippet (Semgrep + OWASP ZAP)
Below is a compact example showing SAST during PR checks and DAST after deploy. Store reports as artifacts for compliance evidence.
name: CI
on:
pull_request:
push:
branches: [ main ]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
version: '1.20.0'
config: 'p/ci' # tuned rule set
output: results/semgrep.json
- name: Upload SAST report
uses: actions/upload-artifact@v4
with:
name: semgrep-report
path: results/semgrep.json
deploy-and-dast:
needs: sast
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy to staging
run: ./scripts/deploy-staging.sh
- name: Run ZAP baseline scan
run: docker run --rm -v $(pwd)/zap:/zap/wrk/:Z owasp/zap2docker-stable zap-baseline.py -t https://staging.example.com -r zap-report.html
- name: Upload DAST report
uses: actions/upload-artifact@v4
with:
name: zap-report
path: zap-report.html
Tuning, thresholds, and gating policies
Default scanners generate many false positives. For Compliance Framework alignment, create a baseline policy: fail builds for "critical" and "high" SAST findings, but only block merges on confirmed findings (triaged) to avoid developer friction. Track "medium" findings in a remediation backlog with SLAs (e.g., remediate within 30 days). For DAST, require authenticated scans where applicable and fail the pipeline on confirmed critical runtime issues. Maintain a documented exception process (short-lived, approved, logged) to meet compliance audit expectations.
Authenticated DAST, staging environments, and data handling
DAST must be run against an environment that mirrors production behavior (auth flows, third-party integrations mocked or available) but never use production data. Create test accounts with scoped permissions, rotate test credentials, and restrict staging network egress. For small businesses, using ephemeral test accounts and an isolated VPC or namespace reduces risk while enabling realistic scanning. Use API keys or service accounts injected as secrets in the pipeline (e.g., GitHub Actions Secrets, GitLab CI variables) and ensure secrets are not logged in CI output.
Reporting, evidence, and mapping to Compliance Framework
Control 1-6-3 requires demonstrable evidence: store SAST/DAST reports as build artifacts, export JSON results to your vulnerability management system (VM), and attach remediation tickets with timestamps. Map scanner findings to the Compliance Framework control fields: scanner name, scan timestamp, environment, severity, CVE/OWASP reference, and remediation status. Maintain retention (e.g., 12 months) and make these artifacts available to auditors. Automate tagging of tickets (e.g., ECC-2-2024-1-6-3) so a compliance report can be generated quickly.
Small business scenarios and best-practice workflows
Scenario 1: A two-developer SaaS company can start with Semgrep on PRs and Trivy for container images, then add weekly authenticated ZAP scans on staging. Automate ticket creation in GitHub Issues for high findings and require one developer and one manager approval to close. Scenario 2: A small e-commerce site uses GitLab CI and runs SAST with GitLab SAST templates, deploys to a staging namespace in Kubernetes, and runs a scheduled Burp Suite Enterprise scan for payment pages. Best practices include prioritizing risk (payments/auth flows first), setting realistic SLAs (24–72 hours for critical), and dedicating one person to weekly triage to avoid backlog growth.
Risks of not implementing SAST/DAST in CI/CD
Failing to integrate SAST and DAST into CI/CD increases exposure to exploitable vulnerabilities, leads to late-stage fixes that are costlier, and creates audit gaps under the Compliance Framework. For small businesses, this can mean customer data exposure, loss of trust, regulatory fines, and long remediation cycles. From a compliance perspective, missing scan artifacts or a poor remediation trail will result in non-conformance findings and may require expensive retroactive audits or compensating controls.
Summary: To comply with Compliance Framework Control 1-6-3, implement automated SAST in PR pipelines and authenticated DAST in staging, tune scanners to reduce false positives, enforce gating for critical findings, retain scan artifacts and tickets as evidence, and operationalize SLAs and exception handling. Start small (fast PR-level SAST + weekly DAST), automate report storage and ticketing, and evolve scanning coverage and policies to cover more environments and asset classes over time — these concrete steps provide both security benefits and a defensible compliance posture.
