NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(1)Static Code Analysis

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources.

Practitioner Notes

Static code analysis examines source code for security vulnerabilities without executing the program. It catches many common coding errors like SQL injection, cross-site scripting, and buffer overflows before the code ever runs.

Example 1: Configure a static analysis tool (SonarQube, Semgrep, Checkmarx) to scan code automatically on every pull request. Set quality gates that block merging if critical or high-severity findings are detected. Review and resolve findings before the code moves forward.

Example 2: In GitHub, enable Advanced Security with CodeQL analysis. CodeQL scans your codebase for vulnerability patterns and creates security alerts directly in the pull request. Configure it to scan on every push and pull request to the main branch.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment