About this program
The three scanners every CI/CD should run, with finding triage and trend tracking.
Risks addressed
- Critical Secret committed to a public repo
- Critical SQL injection ships because no SAST in CI
- High Findings pile up without ownership u2014 scanner ignored
Controls (7)
-
SAST on every PR
HighSAST on every PR
How to test + evidence
Testing procedure: CI runs SAST per PR; high / critical findings block the merge.
Evidence to collect: CI workflow + last run.
-
DAST against staging on every release
HighDAST against staging on every release
How to test + evidence
Testing procedure: DAST runs against staging; high findings block release or get explicit exception.
Evidence to collect: CI workflow + last DAST report.
-
Secret scanning pre-commit + push
CriticalSecret scanning pre-commit + push
How to test + evidence
Testing procedure: Pre-commit hook + repo-side push protection; positives notify security.
Evidence to collect: Hook config + recent block.
-
Triage SLA per severity
HighTriage SLA per severity
How to test + evidence
Testing procedure: Critical 7d / High 14d / Medium 30d. Trend reported monthly.
Evidence to collect: Triage dashboard.
-
False-positive feedback loop
MediumFalse-positive feedback loop
How to test + evidence
Testing procedure: Engineers can mark FPs with justification; security reviews patterns weekly.
Evidence to collect: FP register.
-
Backlog of older findings tracked
MediumBacklog of older findings tracked
How to test + evidence
Testing procedure: Findings older than the policy SLA show up on the team dashboard.
Evidence to collect: Dashboard screenshot.
-
Container image scanning before push
HighContainer image scanning before push
How to test + evidence
Testing procedure: Built images scanned (Trivy / Grype / equivalent) before promotion.
Evidence to collect: CI step + last scan.