--- id: wiki-2026-0508-sast title: SAST category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Static Application Security Testing, static analysis, source code analysis] duplicate_of: none source_trust_level: A confidence_score: 0.95 verification_status: applied tags: [security, sast, devsecops, static-analysis, ci-cd] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: multi framework: semgrep-codeql-snyk --- # SAST ## 매 한 줄 > **"매 source 의 reading 없이 의 running"**. SAST (Static Application Security Testing) 의 source code, bytecode, binary 의 의 inspecting 의 vulnerabilities 의 detecting 의 — 매 runtime 의 없이. 2026 의 dominant tools: Semgrep (rule-based, fast), CodeQL (semantic, deep), Snyk Code (DeepCode AI). ## 매 핵심 ### 매 SAST 의 기본 mechanics - **AST/CFG/DFG**: source 의 parse → AST → control-flow graph → data-flow graph. - **Taint analysis**: 매 source (user input) → sink (sql query) 의 path 의 trace. - **Pattern matching**: 매 known anti-pattern (e.g., `eval(req.body)`) 의 detect. - **Symbolic execution** (heavy): 매 path constraints 의 SMT solver 의 — 매 CodeQL. ### 매 modern tools 의 비교 - **Semgrep** (2026): YAML rules, 매 fast (CI-friendly), 매 OSS + Pro (Semgrep Code). - **CodeQL** (GitHub): semantic queries, 매 deep — 매 GitHub Advanced Security 에 free for OSS. - **Snyk Code**: AI-augmented (DeepCode), 매 fast, 매 commercial. - **SonarQube**: code quality + security 의 hybrid. ### 매 응용 1. PR-blocking gate (block-on-high). 2. Pre-commit (fast subset). 3. Nightly full scan + Jira issue 의 auto-create. ## 💻 패턴 ### Semgrep custom rule (taint TS) ```yaml rules: - id: dangerous-eval-from-request languages: [typescript, javascript] severity: ERROR message: 매 user input 의 eval 의 — RCE 위험 mode: taint pattern-sources: - pattern-either: - pattern: req.body - pattern: req.query - pattern: req.params pattern-sinks: - pattern-either: - pattern: eval(...) - pattern: new Function(...) ``` ### GitHub Actions — Semgrep CI ```yaml name: SAST on: [pull_request] jobs: semgrep: runs-on: ubuntu-latest container: returntocorp/semgrep steps: - uses: actions/checkout@v4 - run: semgrep ci --config=p/owasp-top-ten --config=.semgrep/ env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} ``` ### CodeQL query 의 hardcoded secret ```ql import javascript from StringLiteral s where s.getValue().regexpMatch("AKIA[0-9A-Z]{16}") select s, "매 hardcoded AWS key 의 detected" ``` ### Pre-commit hook — fast subset ```bash #!/usr/bin/env bash changed=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '\.(ts|tsx|js|py)$') [ -z "$changed" ] && exit 0 echo "$changed" | xargs semgrep --config=p/security-audit --error ``` ### SARIF upload 의 GitHub code scanning 의 ```yaml - run: semgrep ci --sarif --output=semgrep.sarif || true - uses: github/codeql-action/upload-sarif@v3 with: { sarif_file: semgrep.sarif } ``` ### Triage — false positive 의 suppress 의 ```typescript // nosemgrep: dangerous-eval-from-request // 매 reason: input 의 zod-validated 의 already const result = eval(safeMath); // ok ``` ## 매 결정 기준 | 상황 | Tool | |---|---| | OSS project, 매 fast feedback | Semgrep (free OSS rules) | | GitHub repo, 매 deep semantic | CodeQL (GHAS) | | polyglot enterprise | Snyk Code or SonarQube | | custom org rules 의 heavy | Semgrep Pro | **기본값**: Semgrep (PR gate, p/owasp-top-ten) + CodeQL (nightly, scheduled). ## 🔗 Graph - 부모: [[CI_CD 파이프라인 및 IDE 통합 보안|DevSecOps]] · [[Application Security]] - 변형: [[보안_및_시스템_신뢰성_표준|DAST]] · [[IAST]] · [[SCA_Fundamentals|SCA]] - 응용: [[보안_및_시스템_신뢰성_표준|OWASP Top 10]] · [[Secure SDLC]] - Adjacent: [[CodeQL]] · [[Semgrep]] ## 🤖 LLM 활용 **언제**: triaging findings, generating fix PRs (Copilot Autofix style), writing custom rules from natural language. **언제 X**: trusting AI-only triage 없이 의 human review — 매 false positives 여전히 30-50%. ## ❌ 안티패턴 - **Block-on-everything**: medium severity 의 PR block — devs 의 SAST 의 disable 의. - **No suppression hygiene**: `nosemgrep` 의 reason 없이 spammed. - **Tool-only**: SAST 만 — DAST/SCA 없으면 runtime + dependency 의 blind. - **Scan once a quarter**: 매 finding backlog 의 explode. ## 🧪 검증 / 중복 - Verified (Semgrep Registry 2026, GitHub CodeQL docs, OWASP SAST guide). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — Semgrep/CodeQL 의 modern SAST patterns |