Application of Static Application Security Testing (SAST) in CI/CD Pipelines for Early Detection of Insecure Coding Practices through Syntax Tree Analysis and Custom Rule Sets

This study investigates the integration  of Static Application Security Testing (SAST) within Continuous Integration/Continuous Deployment (CI/CD) pipelines to enable early identification of insecure coding practices via abstract syntax tree (AST) analysis and customizable rule sets. Using a mixed-methods approach, we analyzed 150 open-source Java and Python repositories from GitHub (2018–2021) with a custom SAST framework built on SonarQube and Semgrep. The methodology incorporated AST parsing, pattern matching, and rule-based detection to flag vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure deserialization. Results revealed a 68% reduction in critical vulnerabilities when SAST was enforced at the commit stage, with 92% of high-severity issues detected before code merge. Custom rule sets improved detection accuracy by 41% over default configurations. The findings underscore the efficacy of syntax-driven analysis in shifting security left in DevOps workflows, offering scalable, automated, and context-aware vulnerability mitigation. This research contributes to secure software engineering by demonstrating measurable improvements in code quality and pipeline resilience.