What Is SAST?
Static Application Security Testing (SAST) — also known as "white-box testing" — analyzes source code to find security vulnerabilities early in the development lifecycle. Unlike dynamic testing that requires a running application, SAST reviews code structure and logic to identify issues like SQL injection, cross-site scripting (XSS), buffer overflows, and insecure cryptographic usage.
How SAST Works
- Code parsing: Build a model of the application (abstract syntax tree, control flow graph, data flow graph)
- Analysis: Apply rules and patterns to detect security anti-patterns
- Taint analysis: Track untrusted input (e.g., user data) through the code to see if it reaches sensitive sinks (e.g., SQL queries) without sanitization
- Reporting: Generate findings with file location, severity, and remediation guidance
SAST in the Development Workflow
SAST integrates at multiple points:
- IDE plugins — Real-time feedback as developers write code
- Pre-commit hooks — Scan before code is committed
- CI/CD pipelines — Automated scans on every pull request
- Scheduled scans — Full repository scans on a regular cadence
SAST vs. DAST vs. SCA
| Technique | Tests | Requires Running App? | Finds | |---|---|---|---| | SAST | Source code | No | Code-level vulnerabilities | | DAST | Running application | Yes | Runtime vulnerabilities | | SCA | Dependencies | No | Known vulnerabilities in libraries | | IAST | Running app + code | Yes | Both code and runtime issues |
A mature AppSec program uses all of these techniques together.
Key Evaluation Criteria
- Language support — Coverage for your tech stack
- False positive rate — Accuracy of findings
- Speed — Scan time for your codebase
- Developer experience — Quality of remediation guidance, IDE integration
- CI/CD integration — Native support for your pipeline tools
Leading SAST Vendors
Major SAST tools include SonarQube, Checkmarx, Semgrep, Veracode, Snyk Code, GitHub Advanced Security (CodeQL), and Black Duck.