Read Anthropic’s case study about Graphite Reviewer

Implementing SAST in pull requests

Sara Verdi
Sara Verdi
Graphite software engineer
Try Graphite


Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Static Application Security Testing (SAST) is a security practice that involves analyzing source code or compiled versions of code to identify security vulnerabilities without running the code. Implementing SAST in pull requests (PRs) is an effective way to catch and fix security issues early in the development process to enhance the overall security posture of your applications. This guide explores how to integrate SAST into your GitHub pull requests, leveraging Graphite Automations to streamline the process.

To begin implementing SAST in your pull requests, you need to choose a SAST tool compatible with your programming environment and integrate it into your GitHub repository. Tools like SonarQube, Checkmarx, or Fortify offer GitHub integrations that can scan your code automatically when a PR is created or updated.

Here are some key reasons to implement SAST in pull requests:

  • Early vulnerability detection: Identifies security flaws before merging into the main branch, preventing them from reaching production.
  • Improved code quality: Enforces good programming practices and adherence to secure coding standards, enhancing the software's robustness.
  • Automation and efficiency: Automates the security testing process, speeding up reviews and reducing manual effort.
  • Regulatory compliance: Helps ensure compliance with industry-specific security standards and regulations, reducing the risk of penalties.
  • Educating developers: Increases security awareness among developers by highlighting security best practices and vulnerabilities related to their code.
  • Cost-effective security: Fixes security issues during development, reducing the costs associated with post-release patches and security breaches.
  • Continuous security: Supports continuous integration and deployment practices by embedding security testing into the development workflow.
  1. Choose a SAST tool: Select a tool that supports your programming language and framework.
  2. Configure the SAST tool: Set up the tool according to your security requirements, specifying the rules and conditions for passing or failing the build based on the security findings.
  3. Integrate with GitHub: Most SAST tools provide a native GitHub integration. Configure your repository to trigger the SAST tool scan when new code is pushed to a PR.

Graphite Automations can enhance your SAST implementation by automating routine actions based on the results of SAST scans. For example, if a SAST scan identifies critical vulnerabilities, Graphite can automatically add specific labels, assign reviewers, or even block the merging of the PR until the issues are resolved.

  • Trigger Condition: Set up a trigger for pull requests containing changes in sensitive code areas or with specific file types (e.g., **/*.ts).
  • Actions:
    • Add reviewers: Automatically assign security experts to the PR if critical vulnerabilities are detected.
    • Add labels: Use labels such as security review needed to highlight PRs that require additional scrutiny.
    • Leave comments: Configure Graphite to post comments with details about the vulnerabilities and guidance on how to address them.
  1. Log in to your Graphite account and navigate to the Automations section.
  2. Create a new rule:
    • Specify the repository and conditions that trigger the rule, such as PRs including changes to security-sensitive files.
    • Define the actions to take when the rule is triggered, like adding labels or comments based on the severity of the findings.
  3. Activate the rule to ensure it applies to all relevant PRs moving forward.
  • Early integration: Incorporate SAST tools early in the development lifecycle to catch vulnerabilities before they become costly to fix.
  • Educate developers: Ensure that your team understands the importance of security testing and how to address the vulnerabilities identified by SAST tools.
  • Continuous improvement: Regularly update your SAST tool configurations and Graphite automation rules to adapt to new security threats and changes in your codebase.

Implementing SAST in your pull requests is a proactive measure that can significantly reduce the risk of security vulnerabilities in your software. By integrating SAST tools with GitHub and using Graphite Automations to streamline your workflows, you can ensure that every piece of code is scrutinized for security issues before it merges, maintaining the integrity and security of your projects.

Built for the world's fastest engineering teams, now available for everyone