Description

Make sure that Static Application Security Testing (SAST) / Code Scanning is in place for your repository. Code scanning lets you analyze the code to find security vulnerabilities and coding errors. SAST tools play a crucial role in identifying security vulnerabilities within source code. These tools analyze code for potential flaws based on predefined security rules and policies. Before their code is compiled, DevSecOps developers begin testing their custom code for security vulnerabilities. This helps them fix issues without affecting the build. SAST tools make this process easier with automatic checks and real-time feedback. Learn more: https://docs.github.com/en/code-security/code-scanning https://appsecmap.com https://owasp.org/www-community/Source_Code_Analysis_Tools https://www.microsoft.com/en-us/security/business/security-101/what-is-devsecops https://appsecmap.com

Recommendation

1. Navigate to Repository -> Actions. 
2. Open your repository CI Pipeline. 
3. Ensure a SAST / Code scanning tool is present in your pipeline.

Policy Rule

{
  "target": "GHActionsWorkflows",
  "if": {
    "allOf": [
      {
        "resource": "GHActionsWorkflows",
        "property": "WorkflowsYaml",
        "operator": "match",
        "value": "$(GH_POLICY_VAR_DEVSECOPS_SAST_STATIC_APPLICATION_SECURITY_TESTING_TOOLS_PATTERNS)"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}