SAST Engineer - Static Code Analysis (5-10 yrs)

Role Summary :

We are looking for an experienced SAST (Static Application Security Testing) Engineer with strong expertise in Coverity (preferably with BlackDuck integration) to manage static code analysis, improve code quality, and collaborate with development teams for defect resolution. The ideal candidate will have a strong background in CI/CD, scripting, and code review processes, preferably in C/C++ and embedded systems.

Key Responsibilities :

- Manage and maintain CI/CD pipelines for continuous static code analysis.

- Analyze and interpret Coverity results (defect types, severity, and code flow).

- Collaborate with developers for quick defect resolution by understanding the code flow.

- Assist developers in running local Coverity analysis for faster triage.

- Review and triage violations, providing actionable insights and remediation recommendations.

- Write custom automation scripts (Python, Shell, Groovy, or Bash) for filtering, reporting, and handling violations.

- Suggest improvements in coding rules & guidelines (SAST best practices).

- Optimize and maintain Coverity configurations, including checker tuning, component mapping, and suppression rules.

- Work closely with developers to justify findings, suggest remediations, and improve code quality.

- (Optional) Provide training to development teams on Coverity usage & best practices.

Required Skills :

- Strong hands-on experience with Coverity or similar SAST tools (e.g., Helix QAC, Polyspace, SonarQube).

- Proficiency in scripting languages (Python, Bash, Groovy, or PowerShell).

- Experience with CI/CD tools (Jenkins, Bitbucket, GitLab CI).

- Strong understanding of software development lifecycle (SDLC) and branching strategies (Git).

- Ability to read and analyze C / C++ source code (Embedded systems background is a plus).

- Experience in code flow analysis and identifying false positives in static analysis.

- Good communication & collaboration skills for working with cross-functional teams.

Preferred / Good to Have :

- Experience with BlackDuck for open-source security and compliance.

- Knowledge of embedded software development.

- Experience in providing training sessions for development teams.