Interview › Security & DevSecOps
When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
Answer
SCA and SAST usually run early in pull request and build stages. DAST runs later against a deployed test or staging environment because it needs a live application. Image and IaC scanning run before deployment, and runtime controls continue after release.
Technical explanation
SAST is useful before merge because developers can fix findings in the same code review cycle.
SCA should run on every dependency change and image build because new vulnerabilities can affect old packages.
DAST should run after deployment to an ephemeral or staging environment with representative routes, authentication, and test data.
Hands-on example
Pipeline example: PR stage = lint, unit tests, SAST, SCA, secret scan. Build stage = image scan and SBOM generation. Test deploy stage = DAST/ZAP scan. Release stage = signature verification and admission policies. Production = runtime monitoring and vulnerability drift detection.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]