Glossary

SAST

Static Application Security Testing

What is SAST?

SAST (Static Application Security Testing) is the automated analysis of source code, bytecode, or compiled binaries to find security vulnerabilities without executing the program. A SAST tool parses the code the way a compiler does, builds a model of how data flows through it, and flags patterns that indicate weaknesses: unsanitized input reaching a database query, hardcoded credentials, unsafe deserialization, and similar issues. Because it works on code rather than a running application, SAST can run early, on every commit, and point to the exact file and line where a problem lives.

How it shows up in practice

Most teams meet SAST through tools like Semgrep, SonarQube, CodeQL, or the security scanners built into GitHub and GitLab. A typical finding looks like this:

user_input flows into db.query() without sanitization (app/routes/search.js:42)

The strengths and weaknesses follow from the approach. SAST sees everything in the codebase, including paths a tester would never reach, but it cannot always tell whether a suspicious pattern is exploitable in reality. That produces false positives, and teams that never triage them end up ignoring the tool entirely, which is worse than not running it.

Why it matters in a code audit

In a manual code audit, SAST output is a starting map, not a verdict. Auditors use static findings to locate hotspots, then read the surrounding code to confirm which flags are real, which are noise, and which serious issues the tool missed because they depend on business logic (a missing authorization check, for example, looks perfectly normal to a pattern matcher). An audit also checks whether SAST is wired into the pipeline at all: a repository with no static analysis and no linting usually correlates with deeper hygiene problems.

SAST is one half of a pair. Its counterpart, DAST, tests the running application from the outside and catches what static analysis structurally cannot, such as misconfigured servers and broken authentication flows. Mature teams run both; the classic findings each catches are covered in the vulnerabilities code audits catch most often.

If you are not sure what a scanner would say about your codebase, a free code audit is a low-effort way to find out.

Free · no strings shown later

Get your free code audit

A repo URL and two minutes of your time. A Webisoft engineer sends back written findings (security, tech debt, performance) with file-and-line specifics.

Request my free audit