SAST — Static Application Security Testing
SAST inspects source code to find security weaknesses before runtime. Decoder ships SAST as a free, no-key feature across 20+ languages.
What it is
Class of tooling that reasons about code structure to spot weaknesses pre-runtime.
Why it's useful
Cheap, fast, repeatable — catches a huge class of bugs before they ship.
How Decoder implements it
Pattern-based rules with CWE mapping, language-aware parsing, and severity ranking.
When to use it
Every commit, every PR, every audit.
When NOT to use it
For taint flow across services — that's DAST/IAST territory.
Practical example
A SQL string concatenation in a Java DAO is flagged CWE-89 / High.
FAQ
Glossary
- DAST
- Dynamic Application Security Testing — runtime probing.
- IAST
- Interactive AST — instruments running code.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
CWE (Common Weakness Enumeration) is the MITRE taxonomy of software weaknesses. Decoder attaches a CWE ID where applicable so findings are comparable across tools and reports.
Severity tells you what to fix first. Decoder normalises every finding into Critical / High / Medium / Low using signal strength, exploitability, and project context.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.