2.5 SAST / DAST present
2.5 SAST / DAST present
static and dynamic application security testing with agent-actionable findings; findings, suppressions, and rule disables carry accountability (rationale, named reviewer, expiry where applicable). Tool choice is project-dependent (e.g. Aikido, SonarQube for compliance cases); the concern is coverage across both testing classes, not a specific vendor
Levels
Level 0
None
Level 1
One tool, partial coverage
Level 2
Both static and dynamic application security testing in place, tuned, with agent-actionable findings. All finding suppressions and rule disables carry a documented rationale and a named reviewer, stored in version control alongside the code they cover; suppressions of high-severity findings additionally carry an expiry date for mandatory re-review. Suppressions without documentation block merge
Level 3
Findings triaged by past resolution patterns; recurring vulnerability classes auto-generate prevention tasks. Stale or expired suppressions auto-flagged for review; recurring suppression patterns generate hardening tasks rather than additional waivers; suppression rate tracked and trends toward zero
Recipes that advance this criterion
No recipes yet.