A static analysis tool is an automated tool used to perform static analysis, also known as static application security testing (SAST). SAST is the process of assessing software without executing it. SAST is most commonly performed on source code, but can also be performed on compiled binaries or object code produced for interpreted languages.
Static analysis is used in three main ways:
- Performed as a one-time assessment to facilitate manual code review
- Integrated into and performed as part of an automated build process
- In the IDE, giving code developers real-time feedback and guidance
The pros of SAST
- Like manual source code review, SAST can be performed early in the development process, even on incomplete code bases.
- Unlike manual review, SAST can be used to assess large amounts of code in a relatively short amount of time.
- SAST can be customized for various languages, frameworks, business logic. or internal coding standards.
- SAST results are consistent, improving standardization.
The cons of SAST
- Static analysis may require significant investment in customization and fine tuning. Without this, it can generate a high level of false positives. Developers sometimes question whether findings are in fact exploitable.
- Static analysis often requires access to source or compiled code, which may not always be available.
- SAST is not able to detect issues related to environment and third-party components.