Home Technical Support Designing Secure Systems: Data Flow Diagrams, SCA/SAST Pipelines, and Local Tool Setup

Designing Secure Systems: Data Flow Diagrams, SCA/SAST Pipelines, and Local Tool Setup

Last updated on Jan 06, 2026

Designing Secure Systems: Data Flow Diagrams, SCA/SAST Pipelines, and Local Tool Setup

Creating secure, maintainable applications requires a solid foundation in three interconnected areas: visualising trust boundaries with Data Flow Diagrams (DFDs), building robust SCA (Software Component Analysis) and SAST (Static Application Security Testing) pipelines, and validating security tools locally before they hit production CI/CD. This article walks you through the essential considerations, practical steps, and best‑practice tips that every DevSecOps professional should know.

1. Data Flow Diagrams – What to Include and Where

1.1 Why DFDs Matter

A DFD is a visual language that helps you communicate trust zones, component responsibilities, and data movement. There are no rigid standards dictating layout or symbols, but clarity is the only rule that truly matters.

1.2 Core Elements to Capture

Element What to Show Typical Placement
External Entities Users, third‑party services, or any system outside your control Outside the perimeter (e.g., “Internet”, “Partner API”)
Trust Boundaries Zones where security controls change (DMZ, internal network, cloud VPC) Use distinct boxes or colour‑coded borders
Processes / Services APIs, micro‑services, databases, queues, etc. Inside the appropriate trust zone
Data Stores Persistent storage (SQL, NoSQL, object buckets) Usually depicted as cylinders or rectangles
Data Flows Directional arrows showing the movement of information Connect entities, processes, and stores; label with data type (e.g., “JWT token”, “user credentials”)

1.3 Practical Example

Scenario: An e‑commerce platform receives orders through a public API Gateway.

  • InternetAPI Gateway (trust boundary: public DMZ)

  • API GatewayOrder Service (internal network)

  • Order ServiceOrder DB (data store)

  • Order ServicePayment Provider (external entity)

By placing the API Gateway at the internet boundary, the diagram instantly highlights where inbound traffic is inspected, where TLS termination occurs, and where additional security controls (WAF, rate limiting) should be applied.

2. Building a Pipeline for SCA and SAST

2.1 Understanding the Scope

When an exam or a real‑world requirement says “build a pipeline for SCA and SAST,” it expects you to address both frontend and backend codebases and to include secret scanning as part of the SAST step.

2.2 Recommended Pipeline Structure

  1. Source Checkout – Pull the latest commit from the repository.

  2. Dependency Scanning (SCA)

    • Frontend – Run tools like npm audit, OWASP Dependency‑Check, or Snyk against package.json/yarn.lock.

    • Backend – Run language‑specific scanners (e.g., Maven Dependency Plugin, pip‑audit, Gradle Dependency Check).

  3. Static Code Analysis (SAST)

    • General SAST – Use tools such as SonarQube, Checkmarx, or CodeQL to detect vulnerable patterns.

    • Secret Scanning – Add a dedicated step (e.g., GitLeaks, TruffleHog, Detect Secrets) to catch API keys, passwords, or certificates embedded in the code.

  4. Policy Evaluation – Fail the build if high‑severity findings exceed a defined threshold.

  5. Reporting – Publish results to a dashboard, Slack channel, or pull‑request comment for developer visibility.

2.3 Sample YAML Snippet (GitHub Actions)

name: Secure Build

on: [push, pull_request]

jobs:
  sca-frontend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run npm audit
        run: npm audit --audit-level=high

  sca-backend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Maven Dependency Check
        run: mvn org.owasp:dependency-check-maven:check -DfailOnCVSS=7

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run CodeQL Analysis
        uses: github/codeql-action/analyze@v2
      - name: Secret Scan with Gitleaks
        uses: zricethezav/gitleaks-action@v1

The pipeline clearly separates frontend SCA, backend SCA, SAST, and secret scanning, satisfying the “separate scans” requirement.

3. Local Tool Testing – Installation vs. Docker

3.1 Why Test Locally?

Running a tool locally helps you:

  • Verify CLI arguments, environment variables, and exit codes.

  • Detect dependency conflicts before they break CI/CD.

  • Fine‑tune performance (e.g., memory limits, parallelism).

3.2 Two Integration Paths

Approach How It Works When to Choose It
Direct Installation + Scan Install the binary or package on the build agent, then invoke it directly. Ideal for tools that need deep OS integration (e.g., native compilers, custom plugins).
Docker Run + Scan Pull a pre‑built Docker image, mount the source code, and execute the scan inside the container. Perfect for isolated environments, version‑locked tooling, or when you want a “run‑anywhere” guarantee.

3.3 Local Test Checklist

  1. Choose the integration path (installation vs. Docker).

  2. Run a quick scan on a small test repo:

    • Verify the tool exits with 0 for clean code and non‑zero for findings.

    • Capture the output format (JSON, SARIF, plain text).

  3. Validate CI/CD compatibility:

    • For installation, script the install step (apt-get, brew, pip, etc.).

    • For Docker, confirm the image size and required runtime flags (--network=none, -v $PWD:/src).

  4. Document the exact command you will later copy into the pipeline YAML.

3.4 Example: Running Trivy via Docker

docker run --rm -v $(pwd):/project aquasec/trivy fs /project \
  --severity HIGH,CRITICAL --format sarif -o trivy-results.sarif

If this command succeeds locally, you can safely embed the same Docker run step in your CI job.

4. Tips & Best Practices

  • Label every DFD arrow with the data type and sensitivity level (e.g., “PII – encrypted”).

  • Separate SCA and SAST stages to keep logs clean and make failure analysis easier.

  • Fail fast: set low thresholds for high‑severity findings to prevent vulnerable code from progressing.

  • Cache Docker images in CI to reduce build time, but always pull the latest version for security tools.

  • Automate secret rotation: when a secret scan flags a credential, trigger an automated rotation workflow.

5. Common Questions

Question Answer
Do I need to draw every micro‑service on a DFD? Focus on trust boundaries and data that crosses them. Minor internal calls can be omitted if they stay within the same security zone.
Can I run SCA and SAST in the same CI job? Technically possible, but separating them improves parallelism, error isolation, and report clarity.
Is Docker the only way to avoid manual installs? No. You can also use package managers (apt, yum, brew) or binary releases, but Docker provides the cleanest isolation for most security tools.
What if a secret scanner flags a false positive? Review the finding, add an allow‑list entry if it’s a known benign pattern, and document the decision in your security policy.

6. Final Thoughts

Designing secure systems is a continuous, visual, and automated effort. By mastering clear DFDs, constructing comprehensive SCA/SAST pipelines, and rigorously testing tools locally—whether via direct installation or Docker—you lay a strong foundation for resilient DevSecOps practices. Use the guidelines above as a checklist for every new project, and you’ll consistently deliver secure, compliant software that stands up to both exams and real‑world threats.