Here at GitHub, we work hard to give you the right tools and knowledge so you can keep your projects secure. From providing best practices on keeping your projects safe to explaining today’s most common security vulnerabilities, it’s our job to help make the open source ecosystem a safe and productive place.

And the security space has changed. I remember when I first started my security career, it was common for organizations to have security experts test code right before it was about to ship. But these days, several application security testing tools have gained popularity—allowing developers to secure their code themselves. These include static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST) among others. Such tools empower individual developers to become security experts—bypassing the frustration and wasted time and money that come with reactive security approaches.

Today, we’ll focus on SCA and SAST. Both these capabilities strengthen security and empower you to stay ahead of attackers. But what exactly are they? And which one is right for your project?

What is an SCA tool?

SCA tools help you detect and manage the security posture of all open source components in your organization’s codebase. Once a piece of open source code is identified, these tools can determine whether there are any security threats or licensing information that requires attribution or policy compliance. Advanced SCA tools automate the entire process of managing open source components. They also provide comprehensive information about the vulnerabilities so developers can easily fix them. SCA tools can be used throughout the software development lifecycle (SDLC).

What is a SAST tool?

SAST tools address security issues in your organization’s proprietary software. They analyze source code by scanning it for known vulnerable code patterns. This generates the identification of potential security flaws and vulnerabilities. SAST takes place early in the SDLC, as it does not require a working application and can take place without executing code. SAST tools give developers real-time feedback as they code, helping them remediate issues before the code is passed onto the next phase of the SDLC.

Addresses open source code Addresses proprietary code
Fixes involve patching vulnerabilities Fixes involve writing more secure code or addressing security weaknesses
Commonly has false negatives when a library is not known by a tool Commonly has false positives where an issue is not in fact a security risk

SCA and SAST work synergistically with each other and are both important for keeping your software secure.

The remediation process

With SCA tools, it’s easier to fix vulnerabilities, as developers simply need to patch or download the latest version of the source code. SAST tools typically provide guidance on how to remediate, but the suggestions can be difficult to follow and require code changes. Both tools can be used across the SDLC, but the best collaboration occurs at the pull request.

False positives and speed

With SCA tools, we can see the false negatives—that is, the library is not indexed and therefore is not matched. SCA tools are fast and run their scans in seconds with no impact on build, no matter the size of the project. However, traditional SAST tools are more time-consuming since they were built at a time when testing was done outside of the SDLC (GitHub’s code scanning, by contrast, is done inside the SDLC, taking far less time).

As you can see, SCA and SAST tools cover different areas. They are both important pieces to the puzzle of keeping your software secure.

SCA and SAST on GitHub

As the home for all developers, we have our own versions of SCA and SAST: Dependabot and code scanning, respectively. Developers are welcome to use Dependabot and code scanning for free on their OSS projects. Enterprise users can leverage GitHub Advanced Security (GHAS) to secure their code

Dependabot makes it easy to find and fix vulnerable dependencies in your repository. Once enabled, it’s always on to alert you about vulnerabilities in the software you depend on. You can even go further by enabling Dependabot security updates, and Dependabot will automatically create pull requests to fix security alerts as they happen.

Dependabot catches dependencies in real time, allowing you to understand:
  • Which dependencies were added, removed, or updated, along with the release dates
  • How many projects use the respective components
  • The vulnerability data for each dependency
  • If your code is making a vulnerable call

Code scanning examines your code for security issues as it’s being written and integrates fixes natively into your developer workflow. Every Git push is scanned for new potential vulnerabilities. Results are displayed directly in your pull request. Code scanning uses CodeQL, which includes more than 2,000 CodeQL queries written and open-sourced by the GitHub Security Lab and leading researchers. This helps you find vulnerabilities with minimal configuration.

We know there are a lot of tools out there promising the best security experience. We hope you walk away with a better understanding of how SCA and SAST tools differ and how they can help secure your code.

To learn more about Dependabot, visit our Dependabot Docs page.

To learn more about code scanning, visit our code scanning Docs page.