Static Application Security Testing (SAST) is a foundational control in secure software delivery. However, the presence of a SAST tool alone does not constitute an effective control. Auditors, compliance officers, and regulators must assess whether the organisation’s SAST tool governance — from selection through ongoing operation — meets the standards required by frameworks such as DORA, NIS2, and ISO 27001.
Ce guide fournit un cadre de vérification structuré pour évaluer la gouvernance des outils SAST dans les environnements d’entreprise et réglementés.
Checklist de vérification pour auditeurs — Processus de sélection d’outil
Before assessing tool capabilities, auditors should verify that the organisation followed a governed tool selection process.
- Does the organisation have a documented tool selection process for security tooling?
- Was governance criteria (auditability, evidence generation, policy enforcement) weighted appropriately during evaluation?
- Were multiple tools evaluated against a consistent set of requirements?
- Is there a documented rationale for the final selection decision?
- Was the selection process approved by appropriate stakeholders (security, engineering, compliance)?
- Is there evidence of ongoing tool effectiveness review?
1. Gouvernance et application des politiques
Les auditeurs doivent vérifier que l’outil SAST applique les politiques de sécurité de manière cohérente et que la configuration des politiques est gouvernée.
Points de vérification
- Verify that the tool supports policy-based enforcement (block, warn, or report-only modes)
- Confirm that policies can be defined and differentiated by application, team, environment, or risk profile
- Assess whether policy configuration is versioned and auditable — changes to policies should be traceable
- Verify that rule customisation (severity, scope, exclusions) is governed and documented
- Confirm that the organisation has a path from visibility-only to enforced gating
Auditor question: Can the organisation demonstrate who changed SAST policies, when, and why?
2. Gouvernance de l’intégration CI/CD
Auditors should verify that the SAST tool is embedded in the software delivery pipeline as an automated, enforceable control.
Points de vérification
- Verify that SAST scans run automatically on pull requests, merges to main, and on scheduled intervals
- Confirm that pipeline fail conditions are defined and enforced based on policy
- Assess whether the tool operates at scale across all in-scope repositories without manual intervention
- Verify that scan results are accessible via API or structured export for aggregation and review
- Confirm that SAST integration is monitored — failures and gaps in execution are detected and escalated
Auditor question: Can the organisation demonstrate that SAST runs on every relevant pipeline execution, and that gaps are detected?
3. Gestion des résultats et qualité du signal
La gouvernance de la manière dont les résultats sont triés, supprimés et résolus est aussi importante que la capacité de détection de l’outil.
Points de vérification
- Verify that findings are clearly mapped to code locations and include actionable remediation guidance
- Confirm that false positive suppression requires justification and approval
- Assess whether risk acceptance decisions are documented with appropriate sign-off
- Verify that detection logic supports recognised standards (CWE, OWASP mappings)
- Confirm that suppression and reclassification history is preserved and auditable
Auditor question: Can the organisation produce a complete audit trail for any suppressed or accepted finding?
4. Gouvernance de la couverture et du périmètre
Les auditeurs doivent vérifier que la couverture SAST est alignée avec le portefeuille applicatif et le profil de risque de l’organisation.
Points de vérification
- Verify that the tool covers all production languages and frameworks in scope
- Assess whether analysis depth is consistent across languages — not superficial for some and deep for others
- Confirm that rule sets are actively maintained and updated
- Verify that coverage gaps are identified, documented, and accepted through a formal risk process
Auditor question: Can the organisation demonstrate which applications are covered by SAST and which are not — and why?
5. Reporting, preuves et préparation à l’audit
Evidence generation is a primary audit focus area. Auditors should verify that the SAST tool and its surrounding processes produce reliable, tamper-resistant evidence.
Points de vérification
- Verify that the tool provides historical trend analysis — vulnerability aging, remediation tracking, and policy violations over time
- Confirm that reports are audit-ready — timestamped, attributable, and reproducible
- Assess whether retention policies are configured and aligned with regulatory requirements
- Verify that evidence is exportable in formats suitable for regulatory review
- Confirm that evidence integrity is protected — results cannot be tampered with or deleted without detection
Auditor question: Can the organisation produce SAST evidence for any given release, tracing findings back to the specific commit and pipeline run?
Cycle de vie de la gouvernance des outils
Auditors should assess whether the organisation manages SAST tooling as a governed capability with a defined lifecycle, not as a one-time procurement decision.
Les cinq étapes de la gouvernance des outils :
- Sélection — L’outil a-t-il été sélectionné via un processus d’évaluation formel et documenté avec des critères de gouvernance ?
- Déploiement — L’outil a-t-il été déployé de manière cohérente sur toutes les applications et pipelines dans le périmètre ?
- Opération — L’outil est-il activement surveillé, maintenu et produit-il des résultats fiables ?
- Revue — Existe-t-il une revue périodique de l’efficacité, de la couverture et de l’adéquation de l’outil ?
- Remplacement — Existe-t-il un processus défini pour remplacer ou décommissionner les outils qui ne répondent plus aux exigences ?
Chaque étape doit produire des preuves auditables. L’absence de toute étape indique une lacune de gouvernance.
Signaux d’alerte pour les auditeurs
Les indicateurs suivants devraient susciter des préoccupations lors d’un audit de la gouvernance des outils SAST :
- Aucun processus documenté de sélection d’outil — L’outil a été adopté sans évaluation formelle ni comparaison
- No governance criteria in selection — Evaluation focused solely on technical features without considering auditability, evidence generation, or policy enforcement
- Aucune revue périodique de l’efficacité — L’outil n’a pas été réévalué depuis le déploiement initial
- Analyses exécutées manuellement ou de manière incohérente — Le SAST n’est pas intégré dans le pipeline CI/CD comme contrôle automatisé
- Aucune conservation des preuves — Les résultats d’analyse et les logs ne sont pas conservés à des fins d’audit
- Uncontrolled suppression of findings — Developers can suppress vulnerabilities without governance oversight or documented justification
- Outil silencieusement désactivé ou contourné — Les configurations de pipeline permettent de sauter le SAST sans approbation
- Politiques non versionnées — Les modifications des règles et politiques SAST ne sont pas suivies ni attribuables
Alignement réglementaire
SAST tool governance maps directly to requirements in major regulatory frameworks. Auditors should assess alignment with the following:
DORA (Digital Operational Resilience Act)
- Article 9 requires ICT risk management frameworks that include testing of ICT systems — SAST is a primary control for code-level testing
- Requires proportionate and risk-based application of testing — auditors should verify SAST coverage aligns with criticality
- Mandates documented evidence of testing activities and outcomes
NIS2 (Network and Information Security Directive)
- Requires organisations to implement security measures in supply chain and development processes
- SAST tool governance demonstrates a proactive approach to secure development
- Evidence of continuous security testing supports compliance with risk management obligations
ISO 27001
- Contrôle Annexe A A.8.25 (Cycle de vie de développement sécurisé) — le SAST est un contrôle technique clé
- Annex A control A.8.29 (Security testing in development and acceptance) — requires evidence of security testing throughout the SDLC
- Requires documented processes, evidence of control operation, and periodic review
Conclusion
Auditing SAST tool governance requires looking beyond whether a tool is installed. Auditors should assess the full governance lifecycle — from selection through ongoing operation and review — and verify that the organisation produces the evidence required to demonstrate control effectiveness.
Organisations that treat SAST tool selection as a one-time procurement decision, rather than an ongoing governance responsibility, are likely to have gaps in coverage, evidence, and enforcement that expose them to regulatory and security risk.
Frequently Asked Questions — SAST Tool Governance
What should auditors verify first when assessing SAST tool governance?
Start with the tool selection process. Verify that a documented evaluation took place, that governance criteria (auditability, evidence generation, policy enforcement) were included, and that the decision was approved by appropriate stakeholders.
How does SAST tool governance relate to DORA and NIS2 compliance?
DORA requires documented evidence of ICT system testing, including code-level controls. NIS2 requires security measures in development processes. Governed SAST tooling — with evidence of consistent execution, policy enforcement, and periodic review — directly supports compliance with both frameworks.
What is the most common governance gap in SAST tool management?
The absence of periodic effectiveness review. Many organisations deploy a SAST tool and never reassess whether it continues to meet their security, compliance, and operational requirements — creating a gap between the control’s existence and its actual effectiveness.
