Salient Engineering Logo
Easy Static Application Security Testing with Salient | Salient Engineering
products

Easy Static Application Security Testing with Salient

Learn how to set up the Salient Static Application Security Testing (SAST) appliance to monitor your GitHub codebase for vulnerabilities and receive Slack or Discord notifications.

Available in AWS
Free Trial with AWS

Easy Static Application Security Testing with Salient

Estimated Deployment Time: 15 Minutes

The Basics

The Salient Static Application Security Testing (SAST) appliance keeps a watchful eye on your GitHub codebase. Whenever new code is pushed or merged into your target branch, the appliance springs into action, running a comprehensive static security test against the new code to sniff out vulnerabilities.

If it finds any new security flaws, you'll instantly get an alert in your designated Slack or Discord channel. The alert includes:

  • The vulnerable file's path
  • The exact type of vulnerability
  • A quick, easy-to-understand explanation
  • The specific code snippet and line number
  • A detailed reference link for more context

Why SAST Matters

Integrating SAST scanning into your Software Development Life Cycle (SDLC) is one of the smartest security moves you can make. By identifying vulnerabilities early—long before your code hits production—you save both time and money. Because SAST analyzes your source code without executing the program, developers get immediate feedback about coding errors and compliance issues while they're still working on the code.

Plus, building SAST into your workflow helps you check the box on regulatory requirements, drastically lowers your risk of a data breach, and proves to your users that you take their security seriously. Since our appliance runs out-of-band and pushes alerts directly to your chat apps, getting actionable security feedback has never been easier.

Deployment Guide

In this guide, we'll deploy the Salient SAST appliance through the AWS marketplace, then configure the necessary policies so it can read your private GitHub repos and post messages to Slack/Discord.

1. Configure AWS Secrets Manager

  1. Head over to AWS Secrets Manager and create a new secret. Set the type to "Other type of secret" and create the following key-value pairs:

    • Discord_Username
    • Discord_Webhook
    • Slack_Username
    • Slack_Webhook
    • GitHub_Username
    • GitHub_PAT (Personal Access Token)
    • Repository
    • Branch

    Note: You can use either Slack, Discord, or both. Setting up webhooks for these platforms only takes a minute.

  2. The default encryption key is fine. Name your secret SAST and add an optional description.

  3. Skip the rotation settings and save the secret.

  4. Important: Copy the Secret ARN; you'll need it for the next step.

2. Configure the IAM Policy and Role

  1. Go to IAM > Policies and click Create policy.
  2. Select the JSON tab and paste this code (make sure to replace the placeholder ARN with your actual Secret ARN): 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:1234567890:secret:SAST-xxxxxx"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        }
    ]
}
  3. Name the policy ReadSecrets and create it.
  4. Head over to IAM > Roles and click Create role.
  5. Choose AWS service as the trusted entity and select EC2 as your use case.
  6. Search for your new ReadSecrets policy and attach it.
  7. Name the role SAST and click Create role.

3. Deploy the SAST Appliance

  1. Launch the Salient SAST appliance from the AWS marketplace into your public subnet.
  2. In your EC2 dashboard, find your new SAST instance, right-click it, and choose Security > Modify IAM role.
  3. Select the SAST role you just created and apply it.
  4. Reboot the instance.

You're all set! Your Salient SAST appliance is now monitoring your code. To avoid annoying alert fatigue, it only notifies you about new vulnerabilities, and it only sends each alert once.

Troubleshooting

Not seeing any alerts in Slack or Discord?

  • Double-check your IAM policy to ensure the Secret ARN is correct.
  • Confirm that the IAM role is actually attached to your EC2 instance.
  • Check AWS Secrets Manager to ensure your key names match our list exactly.
  • Verify your webhooks are working and correctly pasted into the secret.
  • Make sure you specified the correct GitHub branch.
  • If your repo is private, verify your GitHub Personal Access Token (PAT) hasn't expired and has the right permissions.

Need the full SAST report? You can download the raw report from the server using SCP:

scp -i ~/.ssh/your-key.pem ec2-user@your-server-ip:/home/ec2-user/scans/semgrep.txt ./semgrep.txt

Frequently Asked Questions

Does the appliance decrypt my traffic?
No, the Salient SAST appliance never decrypts your network traffic.

What size EC2 instance do I need?
We recommend a t3.medium for production workloads.

How do I apply software updates?
Just reboot the instance—it will automatically install any required updates.