AST

AST: Application Security Testing, 静态应用程序安全测试, 对应用程序源代码执行直接的白盒分析.

SAST

SAST: Static Application Security Testing

Tools: SonarQube, Trivy, Coverity.

gitlab SAST report. gitlab secret detection report.

DAST

DAST: Dynamic Application Security Testing，动态应用程序安全测试, 对应用程序进行黑盒分析.

Tools:

ZAP Scan(OWASP ZAP)

synopsys WhiteHat Sentinel.

gitlab DAST report.

IAST

IAST: Interactive Application Security Testing，交互式应用程序安全测试, 结合了SAST和DAST的优点.

SCA

SCA: Software Composition Analysis.

SBOM (software Bill of Materials),开源组件安全扫描

Tools： BlackDuck, Jfrog Xray.

gitlab dependency scanning report.