https://www.secdev.uk/blog/tags/static-analysis/ Recent content in Static Analysis on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 20 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-20-sast-tools-compared/ Sat, 20 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-20-sast-tools-compared/ <p>Static Application Security Testing (SAST) tools are the first line of automated defence against vulnerabilities in source code. They analyse code without executing it, looking for patterns that match known vulnerability classes. But here&rsquo;s the thing, no single tool catches everything, and the differences between tools in detection capability, false positive rates, and language support are significant. I wanted to understand exactly where the gaps are, so I spent time running these tools against intentionally vulnerable code and comparing their output. This post is my honest assessment of what they actually catch, what they miss, and where manual review has to pick up the slack.</p>