SAST overview
What is Invicti SAST?
Invicti SAST (Static Application Security Testing) analyzes application source code to identify security vulnerabilities without executing the application. By scanning code early in the development lifecycle, SAST helps teams find and fix issues before they reach production.
How it works
Invicti SAST scans source code, bytecode, or binaries to detect security flaws by analyzing code paths, data flows, and patterns that could lead to vulnerabilities. The scanning process includes:
- Data flow analysis: traces how data moves through the application to identify injection points and unsafe data handling.
- Pattern matching: detects known vulnerable coding patterns and anti-patterns.
- Control flow analysis: examines execution paths to find logic errors and security flaws.
- Runtime correlation: validates SAST findings against DAST and IAST results to confirm actual exploitability, reducing false positives.
What it can discover
Invicti SAST detects vulnerabilities across the following categories:
| Category | Examples |
|---|---|
| Injection | SQL Injection, Command Injection, LDAP Injection, XPath Injection |
| Cross-Site Scripting (XSS) | Reflected XSS, Stored XSS, DOM-based XSS |
| Authentication flaws | Hardcoded credentials, weak password handling, insecure session management |
| Insecure data handling | Insecure deserialization, path traversal, buffer overflows |
| Cryptographic issues | Weak encryption algorithms, insecure random number generation |
| Code quality | Null pointer dereferences, resource leaks, race conditions |
Supported languages
Invicti SAST supports 27+ programming languages, including Java, JavaScript, TypeScript, Python, C#, C/C++, Go, PHP, Ruby, Kotlin, Swift, and Rust.
Supported SAST Scanners
The table below lists the SAST integrations available in Invicti ASPM. The Slug column corresponds to the -t flag value used by the KDT CLI (kdt scan -p <project> -t <slug> -b <branch>).
| Scanner | Slug | Type | Authentication | Languages | Supported Methods |
|---|---|---|---|---|---|
| Checkmarx CxSAST (legacy 8.x) | checkmarx | Connection | Basic auth (username/password) | Language agnostic | Bind, KDT, Import |
| Checkmarx CxSAST (alternative) | cxsast | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Checkmarx One SAST | checkmarxast | Connection | API token | Language agnostic | Bind, KDT, Import, Create |
| Coverity (Synopsys Cloud) | coverity | Connection | API token | Language agnostic | Bind, KDT, Import |
| Coverity Server (Black Duck on-prem) | coverityserver | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Fortify SSC (on-prem) | fortify | Connection / Import | Basic auth | Language agnostic | Bind, Import |
| Fortify on Demand (FoD) SAST | fortifyod | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Parasoft | parasoft | Import | Basic auth | Java | Import |
| Veracode | veracode | Connection | Basic auth (API ID + key) | Language agnostic | Bind, KDT, Import |
| SonarQube (self-hosted) | sonarqube | Connection | Basic auth or token | Language agnostic | Bind, KDT, Import |
| SonarCloud (SaaS) | sonarcloud | Connection | API token | 5+ languages | Bind, KDT, Import |
| Semgrep CE (Community Edition) | semgrep | Docker (open source) | — | Multi-language | KDT, Import |
| Semgrep Enterprise SAST | semgrepenterprisesast | Connection | API token | Multi-language | Bind, KDT, Import |
| Qwiet AI SAST (formerly ShiftLeft) | qwietaisast | Connection | API token | Language agnostic | Bind, KDT, Import |
| CodeQL (via GitHub Code Scanning) | codeql | GitHub integration | GitHub PAT/App | Language agnostic | Bind, Import |
| MobSF SAST (Mobile Security Framework) | mobsfsast | Connection | API token | Mobile (iOS/Android) | Bind, KDT, Import |
| Snyk Code (SAST) | snyksast | Connection | API token | Multi-language | Bind, KDT, Import |
| GitGuardian (secrets scanning) | gitguardian | Connection | API token | Secrets/credentials | Bind, KDT, Import |
| Code Threat | codethreat | Connection | API token | Multi-language | Bind, KDT, Import |
| Mend SAST (formerly WhiteSource) | mendsast | Connection | Basic auth | Multi-language | Bind, KDT, Import |
| Polaris fAST Static (Black Duck) | faststatic | Connection | API token | Language agnostic | Bind, KDT, Import |
| Gosec | gosec | Docker (open source) | — | Go | KDT, Import |
| Brakeman | brakeman | Docker (open source) | — | Ruby on Rails | KDT, Import |
| Bandit | bandit | Docker (open source) | — | Python | KDT, Import |
| Find Security Bugs | findsecbugs | Docker (open source) | — | Java | KDT, Import |
| Security Code Scan | securitycodescan | Docker (open source) | — | .NET / .NET Core | KDT, Import |
| ESLint (security plugins) | eslint | Docker (open source) | — | JavaScript, TypeScript | KDT, Import |
| NodeJsScan | nodejsscan | Docker (open source) | — | Node.js | KDT, Import |
| Psalm | psalm | Docker (open source) | — | PHP | KDT, Import |
| Gitleaks (secrets scanning) | gitleaks | Docker (open source) | — | Language agnostic (secrets) | KDT, Import |
| TruffleHog (secrets scanning) | trufflehogsecurity | Docker (open source) | Basic auth (optional) | Language agnostic (secrets) | KDT, Import |
| Opengrep | opengrep | Docker (open source) | — | Multi-language | KDT, Import |
Choosing a SAST Scanner
| If you need… | Consider |
|---|---|
| Enterprise, language-agnostic coverage | Checkmarx One, Coverity, Fortify, Veracode, Qwiet AI, Polaris fAST Static |
| SaaS-only, no infrastructure | Checkmarx One SAST, SonarCloud, Snyk Code, Mend SAST, Fortify on Demand, Veracode |
| Open-source / no license cost | Semgrep CE, Opengrep, Bandit, Brakeman, ESLint, Gosec, Psalm, Find Security Bugs, Security Code Scan, NodeJsScan |
| Secrets / credential scanning | GitGuardian, Gitleaks, TruffleHog |
| Mobile (iOS / Android) | MobSF SAST |
| Native GitHub integration | CodeQL, GitHub Secret Scanner |
| Language-specific (Go, Ruby, Python, .NET, PHP, JS/TS, Java) | Gosec, Brakeman, Bandit, Security Code Scan, Psalm, ESLint, Find Security Bugs |
Updated about 8 hours ago