IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Glossary
  3. SAST

Testing methods

SAST

Static Application Security Testing

Static Application Security Testing (SAST) inspects source code, bytecode, or binaries for insecure patterns without executing the program. It integrates early in development and can pinpoint the exact line of a flaw, but it has no runtime context, so it produces false positives and cannot confirm exploitability the way dynamic or autonomous testing can.

Key points

  • White-box: requires access to source or compiled code.
  • Runs early (shift-left) and locates issues at the line level.
  • No runtime context, so exploitability must be confirmed separately.
  • Pairs with DAST and autonomous testing for validated findings.

FAQ

Does SAST confirm a vulnerability is exploitable?

No. SAST flags suspicious code patterns but has no runtime context, so many findings are not actually exploitable. Confirming exploitability requires dynamic, interactive, or autonomous testing that exercises the running app.

Related

DASTIASTSCADevSecOps

References

  • OWASP: SAST

Impactr is an autonomous AI penetration testing platform - it investigates, chains, and proves web and API vulnerabilities with reproducible evidence.

Join the waitlist
← All terms
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub