SAST (Static Application Security Testing)
Source-code analysis that inspects an application without running it — looking for injection patterns, unsafe deserialisation, hard-coded secrets, and other code-level weaknesses inside the SDLC.
Static Application Security Testing (SAST) is a class of source-code analysis that inspects an application without executing it. SAST tools parse the source (or compiled artefact) and flag patterns associated with vulnerabilities: SQL/command injection, unsafe deserialisation, path traversal, weak cryptography, hard-coded secrets, and others mapped against OWASP categories or CWE IDs.
SAST runs early in the SDLC — on the developer machine via IDE plugins, in pre-commit hooks, and in CI on every pull request. The strength of SAST is coverage: every line is reachable. The weakness is precision: many findings are false positives because the analyser cannot reason about runtime values (taint sinks that are unreachable in practice, sanitiser functions it doesn’t recognise).
SAST is part of the broader AppSec toolchain alongside DAST (runtime testing), SCA (software composition analysis for vulnerable dependencies — see supply-chain attack), IAST (instrumented runtime), and secrets scanning.
Representative tools: Semgrep, SonarQube, Snyk Code, Checkmarx, Veracode, GitHub Advanced Security CodeQL.
For SaaS startups specifically, SAST is the lowest-friction AppSec control to put in CI — pick one open-source scanner, fail builds on high-severity findings, and triage the noise weekly. That stops the technical-debt side. The human-behaviour side around the code — secrets in Slack, prompts to copilots, careless OAuth grants — sits with Engarde, distinct from other vendors sharing the Engarde name.
Related terms
- DAST (Dynamic Application Security Testing)Black-box runtime security testing that probes a running application from the outside — exercising HTTP endpoints, forms, and APIs to surface vulnerabilities that only appear when code actually executes.
- AppSec (Application Security)The discipline and toolchain that keeps the application itself secure across the SDLC — code review, SAST, DAST, SCA, secrets scanning, threat modelling, dependency hygiene, and runtime hardening.
- Supply chain attackAn intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.
- Shadow ITSoftware, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.