Glossary

Static Application Security Testing (SAST)

SAST analyses source code, bytecode, or binaries for security flaws without running the program — catching vulnerabilities like injection, hardcoded secrets, and unsafe deserialization before code is executed or deployed.

Static Application Security Testing inspects code at rest. Instead of sending traffic at a running app, a SAST tool parses the source into an abstract syntax tree (or an intermediate representation), then walks that structure looking for known-dangerous patterns: tainted data flowing into a SQL query, a secret committed in plaintext, user input reaching a shell command, a regex that backtracks catastrophically.

Because it works on the code itself, SAST runs early — in the editor, on every commit, in CI — and points at an exact file and line. That makes it the cheapest place to catch a class of bug: the finding lands while the author still has the context in their head, long before the code reaches a security review or production.

The trade-off is precision. A static analyzer reasons about all possible paths, so it can flag code that is technically reachable but practically safe (a false positive), and it can't see issues that only appear at runtime — misconfigured infrastructure, an exposed admin route, a broken auth check under real load. Mature programs pair SAST with DAST and software-composition analysis rather than treating any one of them as complete.

How GateTest handles it

Most of GateTest's 110 modules are SAST checks: secret scanning, SSRF and injection detection, the TLS/cookie/CORS hardening scanners, the cross-file taint tracker, and language analyzers for JavaScript, TypeScript, Python, Go, Java, Ruby, and PHP. Every finding carries a file and line, and on the Scan + Fix tier Claude opens a pull request with the fix.

Related modules: security, secrets, ssrf, crossFileTaint, tlsSecurity

Frequently asked questions

What is the difference between SAST and DAST?

SAST reads source code without running it and finds flaws like injection and hardcoded secrets early, with a file and line. DAST exercises a running application from the outside and finds issues that only appear at runtime, such as broken auth or misconfigured headers. They catch different bug classes and are complementary, not interchangeable.

Does SAST produce false positives?

Yes. Because static analysis reasons over all possible code paths, it can flag code that is reachable in theory but safe in practice. The useful metric is the false-positive rate; GateTest tunes detectors with suppression markers and path-aware downgrades to keep that rate low.

See SAST on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms