# Static Application Security Testing (SAST) Static Application Security Testing (SAST) is a class of security tools that analyze application source code, bytecode, or binaries without executing them, looking for vulnerabilities such as injection flaws, insecure deserialization, broken authentication, and unsafe data flows. SAST is "white-box" testing — it has full visibility into the code. ## Where It Sits SAST is typically run early in the development lifecycle, often as part of [[CI CD pipelines]] alongside [[Software Composition Analysis (SCA)]]. Where SCA finds known vulnerabilities in third-party dependencies, SAST hunts for vulnerabilities in your own code. The two are complementary, not interchangeable. In a [[DevSecOps]] approach, SAST is one of the earliest "shift-left" checks: catch issues before they reach production, before they reach review, ideally before they reach commit. ## Strengths and Limits **Strengths**: - Finds vulnerabilities without running the application - Can scan partial code, branches, and pre-merge changes - Provides line-level findings developers can act on directly **Limits**: - High false positive rates with traditional pattern-matching tools - Limited understanding of runtime context, configuration, and authorization - Can miss vulnerabilities that only emerge from interactions between components ## The AI-Augmented Generation A new wave of SAST tools uses [[AI Agents]] to investigate candidate findings, trace data flows, and reason about mitigations — substantially reducing false positives and surfacing subtler bugs. Examples: - [[Vercel DeepSec]] — multi-agent pipeline running on your own infrastructure - [[Warden]] — skill-based code review tool from Sentry, runs locally and in CI - Traditional players (Snyk Code, Semgrep, GitHub CodeQL, Sonar) are also adding LLM layers The shared insight: regex matching identifies *candidates* cheaply; LLM agents do the expensive *investigation* only on the narrowed set. ## References - OWASP SAST overview: https://owasp.org/www-community/Source_Code_Analysis_Tools ## Related - [[Software Composition Analysis (SCA)]] - [[DevSecOps]] - [[CI CD pipelines]] - [[Vercel DeepSec]] - [[Warden]] - [[AI Agents]] - [[AI Red Teaming]]