The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Static Application Security Testing

Static Application Security Testing (SAST) is a “white-box” testing methodology that analyzes source code and compiled artifacts (bytecode/binaries) for vulnerabilities without executing the program.

By examining the codebase, SAST tools can identify security flaws such as SQL injection, cross-site scripting (XSS), and buffer overflows early in the SDLC, allowing teams to fix issues before they become expensive production incidents.

How SAST Works

SAST tools do not just “read” code, they understand its behavior using two primary methods:

  • Pattern Matching: Fast scanning for known bad syntax or unsafe configurations.
  • Data & Control Flow Analysis: Deep simulation of how data moves through the application logic to find complex bugs like Taint Analysis .

Why use SAST ?

  • 🛡️ Detect Vulnerabilities Early: Identifies critical flaws such as SQL Injection, Cross-Site Scripting (XSS), Buffer Overflows, and authentication bypasses.
  • ⚖️ Ensure Compliance: Helps projects meet strict industry standards by locating code-level violations that could lead to fines or legal risks.
  • 🎓 Educate Developers: Acts as an automated coach. By providing immediate feedback on unsafe patterns, SAST helps developers improve their secure coding skills over time.

SAST Tools in Software Factory

The Software Factory suite includes three SAST analysis tools:

black-duck-Coverity

GitLab sast

SonarSource

Although they share similar goals, they operate at different levels of depths and precision.

Important

Thales Group has chosen Coverity as a reference for the entire Group. However, some Thales Entities have already started to work with others SAST tools. This fact is taken into account on the Software Security and Secure Coding Community platform.

SAST Comparison

Global Overview

SAST ToolAnalysis DepthSetup & Learning effortComments
Coverity⭐️⭐️⭐️⭐️ Deep⭐️ ChallengingFor deep, high-accuracy analysis and strong compliance needs. Especially C/C++ and complex, security critical code
SonarQube⭐️⭐️ Medium⭐️⭐️ ModerateFor code quality governance with moderate security rules. A complement, rather than a replacement for SAST tools.
GitLab SAST⭐️⭐️(⭐️) Medium⭐️⭐️⭐️⭐️ Very EasyFor fast feedback directly in GitLab with minimal setup. Prefer Advanced SAST if your language is supported.

It is important to choose the right tool because they “read” code differently:

Pattern Matching (Linting)

  • Used by: GitLab SAST (Basic), SonarQube.
  • How it works: It looks for “bad shapes” in the code, like using a banned function or a hardcoded password.
  • Pros/Cons: It is extremely fast but cannot understand complex logic, leading to false positives.

Data Flow & Control Flow Analysis

  • Used by: Coverity, GitLab Advanced SAST and SonarQube.
  • How it works: It simulates the execution of the program. It tracks a variable from user input (source) to usage (sink) to see if it becomes dangerous.
  • Pros/Cons: It detects complex bugs like NullPointer Exceptions or Injection attacks across different files. It is much slower but necessary for Critical Software.

Languages overview

Note

The table below shows which languages are supported by each SAST tool, but the level of coverage and depth of analysis may differ significantly between tools and languages.

LanguageGitLab SASTGitLab Advanced SASTSonarQubeCoverity
Java
JavaScript⚠️
TypeScript⚠️
Python⚠️
Ruby⚠️
C✅ Since GitLab 18.8
C++✅ Since GitLab 18.8
C#✅ (up to 13.0)
Go⚠️ (Go compilers )
Kotlin
Rust

Legend:

  • Full support - Production-ready, comprehensive coverage
  • ⚠️ Limited/Basic - Partial support, may miss some vulnerabilities
  • Not supported - No coverage available

Standards & Compliance Support

🏛️ Target Standard / RegulationGitLab Advanced SASTSonarQubeCoverityWhy?
OWASP Top 10 / CWE Top 25🏆Coverity is generally considered the more powerful. SonarQube provides solid OWASP coverage for every day use.
DO-178C (Avionics) / IEC 61508 (Industrial)🏆Coverity is certified for “Functional Safety” (FuSa). It provides the deep Data Flow analysis
MISRA C / C++🏆Coverity has the highest coverage of MISRA rules, even if SonarQube now covers 100% MISRA for C++
CERT C / C++🏆Both cover CERT rules well. Use Coverity for strict enforcement, SonarQube for educational guidance.
PCI-DSS (Payments)Coverity provides specific compliance reporting for PCI-DSS , SonarQube includes a dedicated PCI-DSS Report
GDPR (Data Privacy)🏆“Secret Detection” and “Taint Analysis” are often sufficient here.

🏆 = Advanced/Leader and ✅ = Supported according of vendor.

Tip

For Official Audits: If your project requires an official certification audit, Coverity is generally the required tool within Thales.

Recommendations by criticality

Criticality LevelLanguagesRecommended Tools
Prototypes / Internal ToolsAll languagesGitLab SAST
ProductionJava, C#, JavaScript, TypeScript, Python, Ruby, GoGitLab (Advanced) SAST + SonarQube
Critical SoftwareJava, C#, Go, Kotlin(Coverity or GitLab Advanced SAST ) + SonarQube
Production & Critical SoftwareC, C++Coverity + SonarQube
Production & Critical SoftwareRustGitLab SAST

GitLab SAST

GitLab SAST is a security feature that is directly integrated into the GitLab CI/CD pipeline.

By using open-source analyzers such as Semgrep and Bandit , it is capable of detecting common OWASP Top 10 security issues and insecure coding patterns.

The results of these analysis are conveniently displayed both in Merge Requests and the Security Dashboard, providing developers with immediate and actionable feedback.

One of the primarily strengths of GitLab SAST is its seamless integration with GitLab, allowing for minimal setup and enabling quick feedback and early security insights.

However, GitLab SAST has some limitations, such as a relatively shallow coverage, higher rate of false positives, especially in complex applications.

GitLab Advanced SAST addresses several of these limitations and offers advanced detection techniques including cross-file, cross-function, and taint analysis while remains easy to use and integrate.

Software Factory Recommendations
GitLab SAST is suited for delivering early and automated security feedback in CI/CD pipelines. GitLab Advanced SAST provides better and deeper analysis and shoud always be preferred if the code language is supported.

SonarQube

SonarQube was primary designed for code quality then it added a security analysis of source code.

Its function is to help teams detect bugs, code smells, and security vulnerabilities early in SDLC.

SonarQube provides rule sets aligned with industry standards such as the OWASP Top 10, CWE, SANS, and more recently MISRA.

SonarQube is focused on developer usability and provides visibility into both quality and security aspects of code.

It enforces quality and security requirements through configurable quality gates, and supports analysis on branches and merge requests.

This ecosystem is further enhanced by SonarLint , an IDE extension that allows developers to shift left by detecting issues in real-time within their code editor before even being committed.

SonarQube also allows for customization and tuning of detection rules to match specific project contexts.

The main limitation of SonarQube is that its security coverage is rule-based, which may not identify more complex or deep dataflow vulnerabilities. As such, it may not be suitable for all security requirements.

Note

Regularly review and tune your SonarQube rules. SonarQube offers flexibility to disable noisy rules. Maintain your quality profiles to reduce false positives and alert fatigue

Software Factory Recommendations
SonarQube is most appropriate for teams focusing on secure coding practices, maintainability, and continuous improvement of code quality.

Coverity

Coverity is a static analysis tool designed for deep semantic and dataflow analysis across files, functions, and modules. It is particularly suited for code that must meet safety and compliance requirements.

Coverity can detect critical vulnerabilities such as buffer overflows and taint propagation. It supports a wide range of industry standards, including CWE, CERT, MISRA, OWASP, and ISO 26262.

The tool is suitable for large and complex codebases. It provides detailed remediation guidance and is designed to minimize false positives, helping teams address issues efficiently.

Coverity integrates with IDEs, build systems, and CI/CD pipelines to streamline its use throughout the development workflow.

However, Coverity requires initial setup and configuration, and scan times can be longer compared to lightweight analysis tools.

Software Factory Recommendations
Coverity is best used in environments where high assurance is essential, and is the SAST tool chosen by Thales Group.

How to Perform SAST in Software Factory

➡️ To implement SAST with Coverity, refer to Coverity tutorials .

➡️ To implement SAST with GitLab, refer to Howto enable GitLab SAST .

Warning

Avoid overlapping configurations: Running multiple SAST tools in the same pipeline without coordination, can create duplicate findings and cause confusion.

If you use SonarQube for C#, disable the C# rules in GitLab SAST to avoid seeing the same error twice

TL;DR

Coverity vs GitLab vs SonarQube