SAST (Static Application Security Testing)
What is SAST (Static Application Security Testing)?
SAST (Static Application Security Testing)Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto.
SAST tools parse code into an intermediate representation (AST, control-flow graph, data-flow graph) and apply rules or taint analysis to detect insecure patterns mapped to CWEs. Because they run without execution, they integrate naturally into IDEs, pre-commit hooks and CI/CD pipelines and can scan code that does not yet ship. SAST is strong at finding deterministic bugs (SQL injection, XSS sinks, hard-coded secrets, weak cryptography) but tends to produce false positives and miss runtime-only issues, so it is usually combined with SCA and DAST. Modern SAST tools include Semgrep, GitHub CodeQL, SonarQube, Checkmarx and Fortify.
● Examples
- 01
Running Semgrep with the OWASP Top 10 ruleset on every pull request.
- 02
Using GitHub CodeQL to catch path traversal in a Java service before merge.
● Frequently asked questions
What is SAST (Static Application Security Testing)?
Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto. It belongs to the Application Security category of cybersecurity.
What does SAST (Static Application Security Testing) mean?
Automated analysis of source code, bytecode or binaries — without executing it — to find security weaknesses such as injection, unsafe APIs or insecure crypto.
How do you defend against SAST (Static Application Security Testing)?
Defences for SAST (Static Application Security Testing) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SAST (Static Application Security Testing)?
Common alternative names include: Static analysis, White-box testing.