Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
SAST overview
What is Invicti SAST?
Invicti SAST (Static Application Security Testing) analyzes application source code to identify security vulnerabilities without executing the application. By scanning code early in the development lifecycle, SAST helps teams find and fix issues before they reach production.
For Invicti AppSec Core, Invicti SAST is pre-activated and ready to use. No manual setup or integration is required.
How it works
Invicti SAST scans source code, bytecode, or binaries to detect security flaws by analyzing code paths, data flows, and patterns that could lead to vulnerabilities. The scanning process includes:
- Data flow analysis: traces how data moves through the application to identify injection points and unsafe data handling.
- Pattern matching: detects known vulnerable coding patterns and anti-patterns.
- Control flow analysis: examines execution paths to find logic errors and security flaws.
- Runtime correlation: validates SAST findings against DAST and IAST results to confirm actual exploitability, reducing false positives.
What it can discover
Invicti SAST detects vulnerabilities across the following categories:
| Category | Examples |
|---|---|
| Injection | SQL Injection, Command Injection, LDAP Injection, XPath Injection |
| Cross-Site Scripting (XSS) | Reflected XSS, Stored XSS, DOM-based XSS |
| Authentication flaws | Hardcoded credentials, weak password handling, insecure session management |
| Insecure data handling | Insecure deserialization, path traversal, buffer overflows |
| Cryptographic issues | Weak encryption algorithms, insecure random number generation |
| Code quality | Null pointer dereferences, resource leaks, race conditions |
Supported languages
Invicti SAST supports 27+ programming languages, including Java, JavaScript, TypeScript, Python, C#, C/C++, Go, PHP, Ruby, Kotlin, Swift, and Rust.
Invicti SAST editions
Invicti AppSec supports two editions of Invicti SAST:
| Edition | Package | Activation |
|---|---|---|
| Invicti SAST | AppSec Core | Pre-activated, no setup required |
| Third-party SAST tools | AppSec Enterprise | Requires manual activation under Integrations |
For AppSec Enterprise, supported third-party SAST tools include Semgrep, SonarQube, Checkmarx, Fortify, CodeQL, Veracode, Coverity, and others. See Third-party scanners overview for the full list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center