Description

The Offering team is responsible for integrating an appropriate Static Application Security Testing (SAST) tool into their productization pipeline, triaging, and remediating findings. The Security Architect will advise on choosing appropriate SAST tooling, defining triage rules, and assisting in dealing with complex findings.

This task should be completed in the following phases:

• Productization phase
• Development phase
• Testing phase (before release)

Definition of Done

• An appropriate SAST scanner is implemented into the productization pipeline.
• Links to the pipeline definition where the SAST scanner has been implemented are added to https://product-security.pages.redhat.com/offering-registry/offerings/red-hat-build-quarkus/sdl/controls/sast/

References and Examples

• Example SAST evidence
• SAST Workflow