Quiz Entry - updated: 2026.07.14
What is SAST (Static Application Security Testing)?
SAST analyzes source code WITHOUT running it (whitebox) — it catches bugs early with exact file/line, but is prone to false positives and misses runtime/config issues.
* SAST (whitebox, early, false positives) versus DAST (blackbox, late, real exploits) — they find different bugs and complement. *
| Aspect | Details |
|---|---|
| When | During development, in CI/CD |
| Approach | Whitebox (sees all code) |
| Finds | SQL injection, buffer overflows, hardcoded secrets, unsafe functions |
Strengths:
- Finds bugs early (shift-left)
- Shows exact file and line number
- Scalable to large codebases
Limitations:
- False positives — Flags non-issues
- Can't find runtime/config problems
- Misses business logic flaws
- Blind to cross-system data flows
Tools: SonarQube, Semgrep, Checkmarx, Fortify, CodeQL
Mnemonic: "SAST = Source Analysis, Stops Threats early"
Go deeper:
OWASP — Static Code Analysis — whitebox taint/data-flow analysis, strengths, and the false-positive limitation.