How to Perform Static Application Security Testing (SAST) in CI
Designed for DevOps engineers and senior backend developers responsible for integrating security checks into automated CI/CD pipelines for their organization’s core web applications. to spark real collaboration and high-energy learning.
A 90-minute virtual workshop for technical teams integrating DevSecOps practices. Audience pain points include confusion over tool selection, concerns about pipeline slowdowns, and skepticism about the practical value of automated SAST findings.
SAST Mystery Demo
Open with a brief screen-share of two CI pipeline dashboards—one with SAST results and one without. Ask participants to spot the difference in outcomes and code quality. Invite initial guesses about how security surfaced in each pipeline and why.
Tap to view the full activity.
Why this works
Curiosity primes engagement by inviting participants to make predictions before learning, activating prior knowledge and highlighting relevance.
SAST MythBuster Lightning
Present three rapid-fire statements about SAST in CI: ‘SAST slows down builds,’ ‘SAST only finds trivial bugs,’ and ‘Any SAST tool will work for all languages.’ Challenge participants to vote true/false, then reveal technical truths with supporting evidence.
Tap to view the full activity.
Why this works
Revealing misconceptions helps learners clear up confusion and builds trust, especially when evidence is used to debunk myths.
Pick-Your-SAST Adventure
Share a scenario: ‘Your project is a microservices-based Python API. Which SAST tool would you choose, and why?’ Provide a short menu of realistic options. Let participants select one in a poll, then discuss reasoning in small groups.
Tap to view the full activity.
Why this works
Low-pressure choice empowers learners to experiment without risk, reinforcing decision skills and collective sensemaking.
CI Pipeline Race
Split the group into two teams. Each gets a simplified CI pipeline flow (on a shared whiteboard or Miro). Teams race to drag-and-drop SAST tool icons into correct pipeline positions, then annotate with why SAST should run at that stage.
Tap to view the full activity.
Why this works
High-energy competition fuels focus, teamwork, and memory. Physical interaction with models cements workflow understanding.
The False Positive Dilemma
Show a real SAST output with several flagged issues, including a clear false positive and a genuine vulnerability. Ask: ‘If you’re a developer, what happens next?’ Invite volunteers to role-play an engineer and a team lead reacting to the results.
Tap to view the full activity.
Why this works
Dilemmas foster empathy and practical judgment, anchoring the abstract topic in real developer experience.
My Next SAST Move
Invite participants to jot down one concrete step they’ll take to implement or improve SAST in their own CI pipeline. Share back in chat or on sticky notes, then invite a few to explain their rationale and expected impact.
Tap to view the full activity.
Why this works
Active reflection drives ownership and transfer, supporting lasting skill change and bridging workshop learning to real-world action.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.