⌂ Home

Static Application Security Testing (SAST)

Analyze source code and binaries without running the app—fast feedback for developers.

How SAST works

SAST tools parse your codebase (and sometimes bytecode or IR) and apply rules or data-flow analysis to find patterns such as SQL injection sinks, hard-coded secrets, weak randomness, or unsafe deserialization. Because nothing is executed, SAST can run in CI on every pull request.

Source files Parser / AST Rules engine Findings (line:col)

When to use it in the pipeline

Tip

Tune severity and suppressions with security team review—noise kills adoption.

Typical features

FeatureWhy it matters
IDE integrationFix before push
SARIF outputUnified ingestion in GitHub/GitLab/Azure DevOps
Custom rulesEncode org-specific dangerous APIs
Baseline / diffBlock only new issues on legacy codebases
Secret detectionOften bundled or paired with dedicated secret scanners

Popular tools

ToolNotes
SemgrepFast, rule-as-code; strong for polyglot monorepos
SonarQube / SonarCloudSecurity + quality; quality gates in CI
CheckmarxEnterprise SAST; deep analysis options
Micro Focus FortifyEnterprise; audit-heavy environments

Pros

  • Shift-left: cheapest time to fix
  • Full codebase coverage path (not route-dependent)
  • Great for enforcing secure API usage

Cons

  • False positives without tuning
  • Misses runtime/config issues (e.g., IAM, headers)
  • Cannot see deployed behavior or multi-service flows

Example: GitHub Actions workflow snippet

name: sast
on:
  pull_request:
    branches: [ main ]

jobs:
  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          docker run --rm -v "$PWD:/src" returntocorp/semgrep semgrep scan \
            --config auto --error --sarif --output semgrep.sarif /src
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

Illustrative only—pin versions and align with your org’s approved scanners.