SAST Tools
Automation
Automated SAST tools scan source code for vulnerability patterns. While they produce false positives, they're essential for scaling code review across large codebases.
Semgrep
bash
# Semgrep - Fast, customizable SAST
# Install
pip install semgrep
# Run with community rules
semgrep --config=auto .
# Run specific rulesets
semgrep --config=p/owasp-top-ten .
semgrep --config=p/security-audit .
# Custom rule example (semgrep.yaml)
rules:
- id: hardcoded-password
patterns:
- pattern: password = "..."
message: Hardcoded password detected
severity: ERROR
languages: [python]
# Run custom rules
semgrep --config=semgrep.yaml .Other SAST Tools
bash
# CodeQL (GitHub)
# Create database
codeql database create codeql-db --language=javascript
# Run queries
codeql database analyze codeql-db javascript-security-extended.qls --format=csv --output=results.csv
# Bandit (Python)
pip install bandit
bandit -r ./src
# Brakeman (Ruby/Rails)
gem install brakeman
brakeman -A
# gosec (Go)
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
# SonarQube (multi-language)
# Requires server setup
sonar-scanner -Dsonar.projectKey=myproject -Dsonar.sources=.