How automated tools inspect code without running it.
14 articlesSAST scans source code without running the app; DAST tests a live application by sending real inputs. Both are necessary — they catch different vulnerability classes at different lifecycle stages.
A linter is a static analysis tool that flags programming errors, style violations, and suspicious constructs in source code — typically enforcing a team's coding standards automatically.
An abstract syntax tree (AST) is a tree representation of source code structure that enables static analysis tools, compilers, and linters to understand and transform code programmatically.
DAST tests a running application by sending malicious inputs and observing responses — finding runtime vulnerabilities that static analysis cannot detect.
Dynamic analysis tests software by executing it and observing its runtime behavior — finding bugs, performance issues, and security vulnerabilities invisible to static inspection.
Fuzzing automatically generates large volumes of unexpected inputs to find crashes, security vulnerabilities, and edge-case bugs that manual testing and static analysis miss.
Hybrid code analysis combines static and dynamic techniques to find vulnerabilities that neither approach catches alone — improving precision and reducing false positives.
IAST instruments a running application to detect vulnerabilities from within during normal operation or testing — combining the precision of dynamic testing with broad code coverage.
Reachability analysis determines whether a vulnerable code path or dependency can actually be reached in a running application — reducing false positives by separating theoretical from exploitable vulnerabilities.
SARIF (Static Analysis Results Interchange Format) is an open standard for representing static analysis output — enabling tools, CI systems, and dashboards to exchange findings in a common format.
SAST is a static analysis technique that scans source code for security vulnerabilities without running the application — catching issues like injection flaws and hardcoded secrets early.
SCA identifies open-source dependencies in your codebase and checks them for known CVEs, license risks, and supply chain vulnerabilities — covering the code you did not write.
Static code analysis examines source code without executing it to find bugs, vulnerabilities, and quality issues — the foundation of automated code review pipelines.
Taint analysis tracks how untrusted user input flows through a program to identify injection vulnerabilities — the foundational technique behind most SAST security scanners.