Auto-sync: 2026-04-26 20:02
This commit is contained in:
@@ -1,52 +1,53 @@
|
||||
# SAST (Static Application Security Testing)
|
||||
|
||||
## Definition
|
||||
SAST tools analyze an application's source code to identify security vulnerabilities without executing the code. They excel at spotting common issues such as SQL injection, cross-site scripting, and buffer overflows.
|
||||
|
||||
## Aliases
|
||||
- Static Application Security Testing
|
||||
- White-box testing
|
||||
- Static analysis
|
||||
|
||||
## Characteristics
|
||||
- **无需运行代码**:在静态状态下分析源代码
|
||||
- **白盒测试**:能看到代码内部结构
|
||||
- **开发阶段适用**:在编码和代码审查时使用
|
||||
- **速度快**:可以快速扫描大量代码
|
||||
|
||||
## Common Vulnerabilities Detected
|
||||
- SQL 注入(SQL Injection)
|
||||
- 跨站脚本(XSS, Cross-Site Scripting)
|
||||
- 缓冲区溢出(Buffer Overflow)
|
||||
- 硬编码凭证(Hardcoded Credentials)
|
||||
- 不安全的加密使用
|
||||
- 路径遍历(Path Traversal)
|
||||
|
||||
## Tools
|
||||
- [[SonarQube]] — 代码质量和安全分析
|
||||
- Checkmarx
|
||||
- Veracode
|
||||
- Fortify
|
||||
- Semgrep
|
||||
|
||||
## Integration
|
||||
SAST 工具通常集成到:
|
||||
- IDE 开发环境
|
||||
- CI/CD 构建管道
|
||||
- 代码审查流程
|
||||
|
||||
## Limitations
|
||||
- 可能产生误报(False Positives)
|
||||
- 无法检测运行时问题
|
||||
- 需要源代码访问权限
|
||||
- 不检测配置问题
|
||||
|
||||
## Related Concepts
|
||||
- [[DevSecOps]] — SAST 是其重要组件
|
||||
- [[DAST]] — 动态应用安全测试(黑盒测试)
|
||||
- [[IAST]] — 交互式应用安全测试
|
||||
- [[SCA]] — 软件组成分析
|
||||
- [[Shift-Left-Security]] — SAST 是左移策略的重要工具
|
||||
|
||||
## Sources
|
||||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|
||||
---
|
||||
title: "SAST"
|
||||
type: concept
|
||||
tags: [security, static-analysis, devsecops, sast]
|
||||
sources: ["what-is-devsecops-best-practices-benefits-and-tools"]
|
||||
last_updated: 2025-12-19
|
||||
---
|
||||
|
||||
## Definition
|
||||
|
||||
SAST(Static Application Security Testing,静态应用安全测试)是一种在不运行应用程序的情况下,通过分析源代码、字节码或二进制文件的结构和逻辑来发现安全漏洞的测试方法。
|
||||
|
||||
## Characteristics
|
||||
|
||||
- **白盒测试**:需要访问源代码
|
||||
- **编码阶段使用**:在开发人员编写代码时即时发现漏洞
|
||||
- **零运行时开销**:无需执行程序,不影响性能
|
||||
- **高覆盖率**:可扫描整个代码库,发现逻辑复杂的安全问题
|
||||
|
||||
## Capabilities
|
||||
|
||||
SAST 工具擅长发现以下类型的漏洞:
|
||||
- SQL 注入(SQL Injection)
|
||||
- 跨站脚本(XSS, Cross-Site Scripting)
|
||||
- 缓冲区溢出(Buffer Overflow)
|
||||
- 硬编码凭据
|
||||
- 不安全的直接对象引用
|
||||
- 缺少输入验证
|
||||
|
||||
## Limitations
|
||||
|
||||
- 误报率较高(可能报告非真实漏洞)
|
||||
- 无法发现运行时漏洞和配置问题
|
||||
- 对第三方库的分析能力有限(见 [[SCA]])
|
||||
|
||||
## Typical Tools
|
||||
|
||||
- SonarQube
|
||||
- Checkmarx
|
||||
- Fortify
|
||||
- Semgrep
|
||||
- Bandit (Python)
|
||||
|
||||
## Relationship with DevSecOps
|
||||
|
||||
SAST 是 DevSecOps CI/CD 流水线的核心组成部分,通常在代码提交后自动触发,为开发人员提供即时反馈。属于 [[DevSecOps]] 工具链中的"左移"环节。
|
||||
|
||||
## Related Concepts
|
||||
|
||||
- [[DAST]] — 动态应用安全测试,与 SAST 互补
|
||||
- [[IAST]] — 交互式应用安全测试,运行时分析
|
||||
- [[SCA]] — 软件成分分析,扫描第三方依赖
|
||||
- [[Shift Left]] — 左移策略,SAST 是其核心实践
|
||||
|
||||
Reference in New Issue
Block a user