Create SAST check and require status check pass before changes can be merged #492
Description
Address OSPS-VM-06.02 baseline requirement.
Requirement: While active, all changes to the project's codebase MUST be automatically evaluated against a documented policy for security weaknesses and blocked in the event of violations except when declared and suppressed as non-exploitable.
Recommendation: Create a status check in the project's version control system that runs a Static Application Security Testing (SAST) tool on all changes to the codebase. Require that the status check passes before changes can be merged.
Control applies to: Maturity Level 3
External Framework Mappings
BPB: B-S-8, Q-B-12, Q-S-9, S-B-14, S-B-15, A-B-1, A-B-3, A-B-8, A-S-1
CRA: 1.2a, 1.2b, 1.2c, 2.1, 2.2, 2.3, 2.4
SSDF: PO.4, PW.1.2, PW.8.1, RV.1.2, RV.1.3, RV.2.1, RV 2.2
CSF: GV.RM-05, GV.RM-06, GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08, ID.IM-02
ISO-18974: 4.1.5, 4.2.1, 4.2.2, 4.3.2
OpenCRE: 155-155, 124-564, 757-271, 464-513, 611-158, 207-435, 088-377
Scorecard: Security-Policy, Vulnerabilities, SAST
PSSCRM: G5.4, P4.1, P4.2, P4.3, P4.4, P4.5
SAMM: Implementation -Secure Build-Build Process Lvl3, Implementation -Software Dependencies Lvl3, Verification -Security Testing -Scalable Baseline Lvl1, Verification -Security Testing -Scalable Baseline Lvl3
PCIDSS: 6.2.3, 6.3.1, 6.3.2, 6.4.1, 6.4.2, 6.5.2
UKSSCOP: 1.3, 1.4
800-161: CA-7, RA-5, SA-11, SI-2, SI-3