Integrating SAST into GitHub Actions Pipeline

When to Use

• When development teams need automated code-level vulnerability detection on every pull request
• When security teams require consistent SAST enforcement across all repositories in an organization
• When migrating from manual or periodic security reviews to continuous security testing
• When compliance frameworks (SOC 2, PCI DSS, NIST SSDF) require evidence of automated code analysis
• When multiple languages coexist in a monorepo and need unified scanning under one workflow

Do not use for runtime vulnerability detection (use DAST instead), for scanning third-party dependencies (use SCA tools like Snyk), or for infrastructure-as-code scanning (use Checkov or tfsec).

Prerequisites

• GitHub repository with GitHub Actions enabled
• GitHub Advanced Security license (required for CodeQL on private repos; free for public repos)
• Semgrep account for managed rules and Semgrep App dashboard (free tier available)
• Repository code in a supported language: Python, JavaScript/TypeScript, Java, C/C++, C#, Go, Ruby, Swift, Kotlin