Does it make sense to have SAST as the first stage of the pipeline? our project consists of many dockerized NodeJS microservices, and while reviewing many tutorials and guides, we noticed that the first is always Build(For Java) and not SAST. Since we don’t have a real build of an application here and instead of building the docker image first then SAST, I’d recommended to my team to start with SAST as the first stage, do you have a better suggestion?
Our SAST activity is mainly focused on ESList and NodeJS Source code scanning.
BUILD - Docker Image
TEST - Container Scanning + Some API testing