In order to automatically scan application code for potential security problems within the software development / build process we can integrate suitable scan tools directly into the build tools (e.g. a continuous integration server like Jenkins) and define a so called “AppSec Pipelines” there.
A number of different approaches and tools exists that can be used for this matter (e.g. SAST, IAST, DAST, dependency checkers). There is, however, not “best” tool or approach, it mostly depends on the technology stack and development environment of a customer which solution is the most suitable one.
The following figure illustrates how a dedicated AppSec pipeline can be implemented: