Automating Static Code Analysis Through CI/CD Pipeline Integration | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2024 IEEE International Confe...

Automating Static Code Analysis Through CI/CD Pipeline Integration

PDF
Zachary Wadhams; Ann Marie Reinhold; Clemente Izurieta
All Authors

Abstract:

In the contemporary landscape of software devel-opment, securing sensitive data is paramount to safeguarding organizational reputation, preventing financial losses, and p...Show More

Metadata

Abstract:

In the contemporary landscape of software devel-opment, securing sensitive data is paramount to safeguarding organizational reputation, preventing financial losses, and pro-tecting individuals from identity theft. This paper addresses the pervasive challenge of identifying and rectifying security vulnerabilities early in the development process, emphasizing the role of Static Application Security Testing (SAST) tools. While SAST tools play a crucial role in detecting vulnerabilities, widespread adoption has been hindered by usability issues, including high false positive rates and a lack of native pipeline support. This paper proposes a novel, generalized, and automated process for aggregating SAST tool outputs and integrating them into developers' familiar issue-tracking software. The process streamlines the identification and communication of security vulnerabilities during the development lifecycle, facilitating more efficient remediation efforts. We demonstrate the successful implementation of the proposed process with the SonarQube SAST tool in a GitLab-based development environment. Developers were positive about the structured implementation, real-time feedback, and proactive vulnerability management. However, despite some challenges such as a potential learning curve and tradeoffs between secure coding and workflow disruption, the overall positive impact on security awareness and responsiveness suggests that the proposed process holds promise in enhancing the security posture of software development practices
Published in: 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion (SANER-C)
Date of Conference: 12-12 March 2024
Date Added to IEEE Xplore: 15 August 2024
ISBN Information:
DOI: 10.1109/SANER-C62648.2024.00021
Conference Location: Rovaniemi, Finland
Contents

I. Introduction

Now, more than ever, software applications must make a concerted effort to effectively secure the data they store. A single breach of security can wreak havoc on the reputation of the organization, trigger massive financial loss, and even disrupt individuals' lives through identity theft or other means. Many instances of security breaches can be traced back to security vulnerabilities [7]. A security vulnerability is a weak-ness or flaw in a software application's source code or design that can be exploited by malicious actors to compromise the security of the system or the data it processes. It is vital that vulnerabilities are identified and corrected as early as possible in the development process. A key tool that development teams can use to identify vulnerabilities is Static Application Security Testing (SAST), or Static Code Analysis.

Contact IEEE to Subscribe
More Like This
Static Security Optimization for Real-Time Systems

IEEE Transactions on Industrial Informatics

Published: 2009

Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline

2023 World Conference on Communication & Computing (WCONF)

Published: 2023

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.