Overview
What this challenge is about.
Run baseline scans with Semgrep + SonarQube + Snyk Code across all 18 services. Triage the initial findings (likely 800-1,500 raw alerts) into true-positive / false-positive / informational. Tune rulesets per language + service to reach under 5 percent false-positive rate on incremental scans (this typically takes 2-3 rounds of rule customization + suppression review). Integrate as PR-blocking checks for high-severity findings, advisory for medium. Build a 4-page developer-facing guide covering 'what each tool catches', 'how to suppress with justification', and 'when to escalate to AppSec'. Author a 30-day on-ramp plan for the security team to maintain rules + handle escalations. Deliver CI integration, tuned rulesets, triaged findings spreadsheet, developer guide, and on-ramp plan.
The Brief
What you'll do, and what you'll demonstrate.
Roll out SAST across 18 services for a fintech codebase, tune to under 5 percent false-positive rate, and integrate into developer workflow without alert fatigue.
Earning criteria — what you'll demonstrate
- Run baseline SAST across a multi-language polyglot codebase
- Tune rulesets to acceptable false-positive rate (the actual hard part)
- Integrate SAST as PR-blocking + advisory without alert fatigue
- Hand off rule maintenance + escalation to the security team
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.