bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95cd8bb891bf94ea5dd50e4a490ee17d5707ecf2
2nd/10_Wiki/Topics/DevOps_and_Security/SAST.md
T
koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건) 
이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 12:24:15 +09:00

147 lines
4.7 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-sast
title: SAST
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Static Application Security Testing, static analysis, source code analysis]
duplicate_of: none
source_trust_level: A
confidence_score: 0.95
verification_status: applied
tags: [security, sast, devsecops, static-analysis, ci-cd]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: multi
framework: semgrep-codeql-snyk
---
# SAST
## 매 한 줄
> **"매 source 의 reading 없이 의 running"**. SAST (Static Application Security Testing) 의 source code, bytecode, binary 의 의 inspecting 의 vulnerabilities 의 detecting 의 — 매 runtime 의 없이. 2026 의 dominant tools: Semgrep (rule-based, fast), CodeQL (semantic, deep), Snyk Code (DeepCode AI).
## 매 핵심
### 매 SAST 의 기본 mechanics
- **AST/CFG/DFG**: source 의 parse → AST → control-flow graph → data-flow graph.
- **Taint analysis**: 매 source (user input) → sink (sql query) 의 path 의 trace.
- **Pattern matching**: 매 known anti-pattern (e.g., `eval(req.body)`) 의 detect.
- **Symbolic execution** (heavy): 매 path constraints 의 SMT solver 의 — 매 CodeQL.
### 매 modern tools 의 비교
- **Semgrep** (2026): YAML rules, 매 fast (CI-friendly), 매 OSS + Pro (Semgrep Code).
- **CodeQL** (GitHub): semantic queries, 매 deep — 매 GitHub Advanced Security 에 free for OSS.
- **Snyk Code**: AI-augmented (DeepCode), 매 fast, 매 commercial.
- **SonarQube**: code quality + security 의 hybrid.
### 매 응용
1. PR-blocking gate (block-on-high).
2. Pre-commit (fast subset).
3. Nightly full scan + Jira issue 의 auto-create.
## 💻 패턴
### Semgrep custom rule (taint TS)
```yaml
rules:
- id: dangerous-eval-from-request
languages: [typescript, javascript]
severity: ERROR
message: 매 user input 의 eval 의 — RCE 위험
mode: taint
pattern-sources:
- pattern-either:
- pattern: req.body
- pattern: req.query
- pattern: req.params
pattern-sinks:
- pattern-either:
- pattern: eval(...)
- pattern: new Function(...)
```
### GitHub Actions — Semgrep CI
```yaml
name: SAST
on: [pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
container: returntocorp/semgrep
steps:
- uses: actions/checkout@v4
- run: semgrep ci --config=p/owasp-top-ten --config=.semgrep/
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
```
### CodeQL query 의 hardcoded secret
```ql
import javascript
from StringLiteral s
where s.getValue().regexpMatch("AKIA[0-9A-Z]{16}")
select s, "매 hardcoded AWS key 의 detected"
```
### Pre-commit hook — fast subset
```bash
#!/usr/bin/env bash
changed=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '\.(ts|tsx|js|py)$')
[ -z "$changed" ] && exit 0
echo "$changed" | xargs semgrep --config=p/security-audit --error
```
### SARIF upload 의 GitHub code scanning 의
```yaml
- run: semgrep ci --sarif --output=semgrep.sarif || true
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: semgrep.sarif }
```
### Triage — false positive 의 suppress 의
```typescript
// nosemgrep: dangerous-eval-from-request
// 매 reason: input 의 zod-validated 의 already
const result = eval(safeMath); // ok
```
## 매 결정 기준
| 상황 | Tool |
|---|---|
| OSS project, 매 fast feedback | Semgrep (free OSS rules) |
| GitHub repo, 매 deep semantic | CodeQL (GHAS) |
| polyglot enterprise | Snyk Code or SonarQube |
| custom org rules 의 heavy | Semgrep Pro |
**기본값**: Semgrep (PR gate, p/owasp-top-ten) + CodeQL (nightly, scheduled).
## 🔗 Graph
- 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] · [[Application Security]]
- 변형: [[보안 및 시스템 신뢰성 표준|DAST]] · [[IAST]] · [[SCA_Fundamentals|SCA]]
- 응용: [[보안 및 시스템 신뢰성 표준|OWASP Top 10]] · [[Secure SDLC]]
- Adjacent: [[CodeQL]] · [[Semgrep]]
## 🤖 LLM 활용
**언제**: triaging findings, generating fix PRs (Copilot Autofix style), writing custom rules from natural language.
**언제 X**: trusting AI-only triage 없이 의 human review — 매 false positives 여전히 30-50%.
## ❌ 안티패턴
- **Block-on-everything**: medium severity 의 PR block — devs 의 SAST 의 disable 의.
- **No suppression hygiene**: `nosemgrep` 의 reason 없이 spammed.
- **Tool-only**: SAST 만 — DAST/SCA 없으면 runtime + dependency 의 blind.
- **Scan once a quarter**: 매 finding backlog 의 explode.
## 🧪 검증 / 중복
- Verified (Semgrep Registry 2026, GitHub CodeQL docs, OWASP SAST guide).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — Semgrep/CodeQL 의 modern SAST patterns |
Reference in New Issue View Git Blame Copy Permalink