Day 7 of 60
·
Static analysis & type-time
SAST (security static analysis)
Linters tell you the code is messy. SAST tells you the code is exploitable. Both run for free; only one prevents the breach you didn't see coming.
ProblemVulnerabilities that linting misses, SQL injection, SSRF, hardcoded credentials, unsafe deserialization.
How it works
Pattern-based or dataflow analyzers tuned for security. Run on every PR. Result: a queue of findings to triage.
What it catches
OWASP Top 10 patterns, taint-flow vulns, dangerous APIs, secret leaks. Studies show SAST catches 30–50% of injection-class bugs.
Tools
Semgrep · OSS CodeQL · OSS SonarQube · Hybrid Snyk Code · SaaS
Verdict by project size
Small
Opt
Medium
Rec
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 1d | 2h | $0 | +2m |
| Medium 10–100k LOC | 3d | 8h | $0 | +5m |
| Large 100k–1M LOC | 10d | 30h | $500 | +10m |
| Extra-large >1M LOC | 30d | 120h | $5k | +20m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Code Build
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Developer
Authoring + the inner loop
Collaborates with: Security / AppSec
Reference implementations
-
Semgrep rules
Community and vendor-maintained security rules for real SAST findings.
-
CodeQL query repository
Security query packs and examples for semantic code analysis.
-
OWASP Benchmark
Synthetic vulnerable app used to measure SAST and DAST tool accuracy.
Quick check
SAST tools like Semgrep and CodeQL are tuned to find what?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.