devsecops
SAST
Static Application Security Testing — analysis of source code for vulnerabilities without executing it.
Also known as
Static Application Security Testing Static Code Analysis
SAST (Static Application Security Testing) analyses source code, bytecode, or binary code for security vulnerabilities without running the application. It integrates early in the development lifecycle — often directly in the IDE or as a CI/CD pipeline stage.
How it works
A SAST tool parses the codebase into an Abstract Syntax Tree (AST) or call graph and applies security rules to detect patterns like:
- SQL injection via unsanitised user input
- Hardcoded credentials or API keys
- Use of deprecated/vulnerable cryptographic functions
- Path traversal vulnerabilities
Common tools
| Tool | Language support | Notes |
|---|---|---|
| SonarQube | 30+ languages | Self-hosted or SaaS |
| Snyk Code | JS, Python, Go, Java… | Developer-first SaaS |
| Semgrep | 20+ languages | Open-source, rule-based |
| GitLab SAST | Bundled in GitLab CI | Auto-detected by language |
Limitations
SAST produces false positives and cannot detect vulnerabilities that only appear at runtime (e.g. SSRF via dynamic URL construction). Use alongside DAST and SCA for full coverage.
See also