availability
This integration is configured through the Invicti ASPM product.
SAST overview
What is SAST?
Static Application Security Testing (SAST) analyzes application source code to identify security vulnerabilities without executing the application. By scanning code early in the development lifecycle, SAST helps teams find and fix issues before they reach production.
note
Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
SAST scans source code, bytecode, or binaries to detect security flaws by analyzing code paths, data flows, and patterns that could lead to vulnerabilities. The scanning process includes:
- Data flow analysis — traces how data moves through the application to identify injection points and unsafe data handling.
- Pattern matching — detects known vulnerable coding patterns and anti-patterns.
- Control flow analysis — examines execution paths to find logic errors and security flaws.
What it can discover
SAST detects vulnerabilities across the following categories:
| Category | Examples |
|---|---|
| Injection | SQL Injection, Command Injection, LDAP Injection, XPath Injection |
| Cross-Site Scripting (XSS) | Reflected XSS, Stored XSS, DOM-based XSS |
| Authentication flaws | Hardcoded credentials, weak password handling, insecure session management |
| Insecure data handling | Insecure deserialization, path traversal, buffer overflows |
| Cryptographic issues | Weak encryption algorithms, insecure random number generation |
| Code quality | Null pointer dereferences, resource leaks, race conditions |
Supported SAST scanners
The following SAST integrations are available through Invicti ASPM:
| Scanner | Slug | Type | Authentication | Languages | Supported Methods |
|---|---|---|---|---|---|
| Checkmarx CxSAST (legacy 8.x) | checkmarx | Connection | Basic auth (username/password) | Language agnostic | Bind, KDT, Import |
| Checkmarx CxSAST (alternative) | cxsast | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Checkmarx One SAST | checkmarxast | Connection | API token | Language agnostic | Bind, KDT, Import, Create |
| Coverity (Synopsys Cloud) | coverity | Connection | API token | Language agnostic | Bind, KDT, Import |
| Coverity Server (Black Duck on-prem) | coverityserver | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Fortify SSC (on-prem) | fortify | Connection / Import | Basic auth | Language agnostic | Bind, Import |
| Fortify on Demand (FoD) SAST | fortifyod | Connection | Basic auth | Language agnostic | Bind, KDT, Import |
| Parasoft | parasoft | Import | Basic auth | Java | Import |
| Veracode | veracode | Connection | Basic auth (API ID + key) | Language agnostic | Bind, KDT, Import |
| SonarQube (self-hosted) | sonarqube | Connection | Basic auth or token | Language agnostic | Bind, KDT, Import |
| SonarCloud (SaaS) | sonarcloud | Connection | API token | 5+ languages | Bind, KDT, Import |
| Semgrep CE (Community Edition) | semgrep | Docker (open source) | — | Multi-language | KDT, Import |
| Semgrep Enterprise SAST | semgrepenterprisesast | Connection | API token | Multi-language | Bind, KDT, Import |
| Qwiet AI SAST (formerly ShiftLeft) | qwietaisast | Connection | API token | Language agnostic | Bind, KDT, Import |
| CodeQL (via GitHub Code Scanning) | codeql | GitHub integration | GitHub PAT/App | Language agnostic | Bind, Import |
| MobSF SAST (Mobile Security Framework) | mobsfsast | Connection | API token | Mobile (iOS/Android) | Bind, KDT, Import |
| Snyk Code (SAST) | snyksast | Connection | API token | Multi-language | Bind, KDT, Import |
| GitGuardian (secrets scanning) | gitguardian | Connection | API token | Secrets/credentials | Bind, KDT, Import |
| Code Threat | codethreat | Connection | API token | Multi-language | Bind, KDT, Import |
| Mend SAST (formerly WhiteSource) | mendsast | Connection | Basic auth | Multi-language | Bind, KDT, Import |
| Polaris fAST Static (Black Duck) | faststatic | Connection | API token | Language agnostic | Bind, KDT, Import |
| Gosec | gosec | Docker (open source) | — | Go | KDT, Import |
| Brakeman | brakeman | Docker (open source) | — | Ruby on Rails | KDT, Import |
| Bandit | bandit | Docker (open source) | — | Python | KDT, Import |
| Find Security Bugs | findsecbugs | Docker (open source) | — | Java | KDT, Import |
| Security Code Scan | securitycodescan | Docker (open source) | — | .NET / .NET Core | KDT, Import |
| ESLint (security plugins) | eslint | Docker (open source) | — | JavaScript, TypeScript | KDT, Import |
| NodeJsScan | nodejsscan | Docker (open source) | — | Node.js | KDT, Import |
| Psalm | psalm | Docker (open source) | — | PHP | KDT, Import |
| Gitleaks (secrets scanning) | gitleaks | Docker (open source) | — | Language agnostic (secrets) | KDT, Import |
| TruffleHog (secrets scanning) | trufflehogsecurity | Docker (open source) | Basic auth (optional) | Language agnostic (secrets) | KDT, Import |
| Opengrep | opengrep | Docker (open source) | — | Multi-language | KDT, Import |
Choosing a SAST scanner
| If you need… | Consider |
|---|---|
| Enterprise, language-agnostic coverage | Checkmarx One, Coverity, Fortify, Veracode, Qwiet AI, Polaris fAST Static |
| SaaS-only, no infrastructure | Checkmarx One SAST, SonarCloud, Snyk Code, Mend SAST, Fortify on Demand, Veracode |
| Open-source / no license cost | Semgrep CE, Opengrep, Bandit, Brakeman, ESLint, Gosec, Psalm, Find Security Bugs, Security Code Scan, NodeJsScan |
| Secrets / credential scanning | GitGuardian, Gitleaks, TruffleHog |
| Mobile (iOS / Android) | MobSF SAST |
| Native GitHub integration | CodeQL, GitHub Secret Scanner |
| Language-specific (Go, Ruby, Python, .NET, PHP, JS/TS, Java) | Gosec, Brakeman, Bandit, Security Code Scan, Psalm, ESLint, Find Security Bugs |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center
Was this page useful?