# Static Analysis (SAST) One-sentence definition: Automated code/binary analysis to detect vulnerable patterns without execution. ## Key Facts - Finds injections, hardcoded secrets, weak crypto, missing validation. - Tune rules to reduce false positives; baseline and triage workflow. - Integrate pre-commit/PR and CI for early detection. - Complement with manual review and DAST; not a silver bullet. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Select SAST for early detection in SDLC. **Mnemonic:** “**Stop** issues **statically**.” ## Mini Scenario Q: Devs ignore noisy SAST—what fix? A: Rule tuning + gating on critical issues + developer training. ## Revision Checklist - Pros/limits. - Integration point. - Tuning necessity. ## Related [[Secure Code Review (Manual and Assisted)]] · [[Dynamic Analysis (DAST)]] · [[Software Composition Analysis (SCA) and SBOM]] · [[Testing in CI CD (Shift Left and Right)]] · [[Security Requirements and Testability]] · [[Domain 6 - Index]]