SAST_COVERAGE
Repositories must be scanned by an external static analysis tool (e.g., Opengrep, CodeQL) with no critical or high-severity findings.
Framework Mappings
SOC 2 CC7.1 — System MonitoringEU AI Act ART15 — CybersecurityNIST AI RMF MG3 — Manage AI RisksOWASP LLM LLM02 — Sensitive Information Disclosure
Agent Frameworks Scanned
JavaScriptTypeScriptPythonGoJavaRuby
Evaluation Facets
01
SAST Scan Executed
RequiredWeight: 0.3
Pass:At least one external SAST tool successfully scanned the repository
Fail:No SAST tool ran — scanner not installed or disabled
02
No Critical SAST Findings
RequiredWeight: 0.4
Pass:Zero critical-severity findings from any SAST tool
Fail:One or more critical-severity findings detected
03
No High SAST Findings
Weight: 0.3
Pass:Zero high-severity findings from any SAST tool
Fail:One or more high-severity findings detected
Remediation Steps
- 1Enable Opengrep or CodeQL in your scanner configuration
- 2Fix all critical-severity findings (SQL injection, command injection, etc.)
- 3Address high-severity findings (XSS, path traversal, SSRF, etc.)
- 4Run SAST scans in CI to catch regressions before merge
Evaluate this control automatically
Connect your repos and Brigs evaluates SAST_COVERAGE across all your agent configurations.
Get Started — Free