Static Application Security Testing (SAST) in CI/CD

A lot of the companies we are working with have asked about Static Application Security Testing (SAST). After discovering Salus, a security scanner coordinator, we were eager to dig in to see if it would fit the bill.

CircleCI recently released a configuration package and registry, so we wrote a CircleCI Orb (with contributions from Raphael Salas at WeWork) to run Salus as part of a CI/CD process, which was merged upstream.

It was a pleasure working with the Coinbase folks, who authored Salus, and Raphael! We're looking forward to building more around this Apache-licensed tool.

You can use it by adding the following:


  salus: federacy/salus@2.5.1

      - salus/scan:
          enforced_scanners: "none"

Further documentation here: