Skip to main content
← All controls
PO.3.2 / PW.7.1 / PW.8.2 NIST SP 800-218 SSDF

SAST / SCA in CI catches insecure AI suggestions

Demonstrate that SAST and SCA tools are actively integrated into the CI pipeline with configurations capable of detecting common security vulnerabilities that may be introduced by AI-assisted code generation, and that these tools prevent merging or deployment of code failing security checks.

Description

What this control does

This control requires Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools to be integrated into the Continuous Integration (CI) pipeline, with rulesets configured to detect insecure code patterns that may originate from AI-assisted coding tools such as GitHub Copilot, ChatGPT, or other LLM-based code generators. The tools automatically scan code commits for vulnerabilities like SQL injection, hardcoded secrets, use of vulnerable dependencies, and other OWASP Top 10 weaknesses before merge or deployment. This control is critical because AI coding assistants can suggest functionally correct but insecure code patterns learned from public repositories, requiring automated safety nets to prevent vulnerable suggestions from reaching production.

Control objective

What auditing this proves

Demonstrate that SAST and SCA tools are actively integrated into the CI pipeline with configurations capable of detecting common security vulnerabilities that may be introduced by AI-assisted code generation, and that these tools prevent merging or deployment of code failing security checks.

Associated risks

Risks this control addresses

  • AI coding assistants suggest code containing SQL injection, command injection, or other injection vulnerabilities that developers accept without security review
  • LLM-generated code includes hardcoded credentials, API keys, or cryptographic secrets that are committed to version control
  • AI tools recommend use of deprecated or vulnerable third-party libraries with known CVEs that are incorporated into the codebase
  • Developers bypass manual code review by trusting AI suggestions, allowing insecure deserialization or XML external entity (XXE) vulnerabilities into production
  • AI-generated cryptographic implementations use weak algorithms or improper configurations that pass functional testing but create exploitable weaknesses
  • Code suggested by AI assistants contains cross-site scripting (XSS) vulnerabilities in user input handling that evade peer review
  • Vulnerable code patterns from outdated training data in AI models are replicated across multiple projects without detection

Testing procedure

How an auditor verifies this control

  1. Inventory all CI/CD pipelines used for application development and identify which have SAST and SCA tooling integrated (e.g., SonarQube, Snyk, Checkmarx, GitLab SAST, GitHub Advanced Security).
  2. Review CI pipeline configuration files (e.g., .gitlab-ci.yml, .github/workflows/, Jenkinsfile) to verify SAST and SCA scanning stages are mandatory and occur before merge/deployment gates.
  3. Examine SAST and SCA tool rulesets and policies to confirm they include detection of common AI-suggested vulnerabilities including injection flaws, hardcoded secrets, insecure cryptography, and vulnerable dependencies.
  4. Select a sample of 10-15 recent pull requests or merge requests and verify that SAST/SCA scan results are documented and that findings were addressed or formally accepted before merge.
  5. Review pipeline logs and tool dashboards to confirm scans execute automatically on every code commit or pull request without manual triggering.
  6. Test the enforcement mechanism by attempting to merge a branch containing a known vulnerability (e.g., test SQL injection pattern) to verify the pipeline blocks the merge or triggers mandatory review.
  7. Examine false-positive triage and suppression processes to ensure legitimate security findings are not routinely waived without documented risk acceptance by security team.
  8. Review integration between SAST/SCA tools and ticketing systems (e.g., Jira, ServiceNow) to verify that critical and high-severity findings automatically create remediation tasks assigned to development teams.
Evidence required Collect CI/CD pipeline configuration files showing SAST/SCA integration, screenshots of tool dashboards displaying recent scan results and policy configurations, exports of security finding reports from the past 90 days with remediation status, pipeline execution logs demonstrating automated scanning on commits, documentation of security ruleset configurations including enabled vulnerability categories, and change control records showing examples of blocked merges or required remediation workflows. Include evidence of at least one failed pipeline run due to security findings and subsequent remediation.
Pass criteria SAST and SCA tools are integrated into all active CI pipelines with configurations that detect injection flaws, hardcoded secrets, insecure cryptography, and vulnerable dependencies; scans execute automatically on every code commit; the pipeline enforces remediation or documented risk acceptance before merge; and evidence shows at least 90% of high and critical findings are remediated within SLA.

Where this control is tested

Audit programs including this control

AI Coding Assistant Security

Copilot / Cursor / Claude Code / Codeium / equivalent — quick audit of how AI code assistants…

8 controls · v1.0