Skip to main content
Deterministic SAST performs rule-based static analysis of your source code to identify security vulnerabilities using established patterns and security rules. Results are enhanced by False Positive Elimination agent and complemented by Agentic SAST for deep analysis of complex vulnerabilities.

How It Works

Deterministic SAST uses pattern matching and rule-based detection:
  1. Pattern matching: Identifies known vulnerable code patterns
  2. Dataflow analysis: Tracks untrusted data through code
  3. Control flow analysis: Identifies unsafe execution paths
  4. Semantic understanding: Analyzes code structure and meaning
Powered by: OpenGrep (enhanced Semgrep fork) + ShiftQL intelligent analysis Coverage: 1,740+ security rules across 27+ languages

What Deterministic SAST Finds

  • Injection flaws: SQL injection, command injection, code injection
  • Cross-Site Scripting (XSS): Reflected, stored, DOM-based
  • Authentication issues: Broken auth, session management flaws
  • Authorization flaws: Missing access controls, insecure direct object references
  • Cryptographic issues: Weak algorithms, insecure random number generation
  • Security misconfigurations: Debug mode enabled, default credentials
  • Input validation: Missing or improper validation
  • Path traversal: Directory traversal vulnerabilities

Language Support

Deterministic SAST supports 27+ languages with comprehensive rule coverage. Deep coverage (100+ rules each):
  • Python (334 rules) - Django, Flask, FastAPI
  • Terraform (362 rules) - AWS, Azure, GCP, Kubernetes
  • JavaScript (173 rules) - React, Vue, Angular, Node.js
  • Java (121 rules) - Spring, Jakarta EE
  • YAML/Kubernetes (120 rules) - K8s manifests, Helm charts
  • Ruby (92 rules) - Rails, Sinatra
  • Go (76 rules) - Gin, Echo, standard library
  • PHP (61 rules) - Laravel, Symfony, WordPress
  • C# (51 rules) - ASP.NET, .NET Core
  • Solidity (50 rules) - Smart contracts
Additional support: TypeScript, Scala, Kotlin, Swift, Rust, Elixir, OCaml, Bash, C/C++, Apex, Clojure, Dockerfile, HTML, JSON View complete SAST support matrix →

False Positive Elimination

The False Positive Elimination agent analyzes deterministic SAST results to reduce false positives by understanding code context:
  • Validates input sanitization before vulnerable sinks
  • Recognizes framework-specific security protections
  • Traces dataflow to verify exploitability
  • Filters violations that aren’t actually exploitable
Learn more about False Positive Elimination →

Agentic SAST

Agentic SAST performs deep code analysis using graph-based analysis to identify logic flaws, authorization issues, and design failures that deterministic SAST cannot detect. Learn more about Agentic SAST →
Configure deterministic SAST scanning in repository settings:
  • Enable/disable SAST scanning
  • Select rulesets to apply
  • Configure scan paths and exclusions
  • Set severity thresholds
  • Enable false positive elimination

Next Steps

SAST Support Matrix

View complete language coverage

False Positive Elimination

Reduce false positives with AI

Agentic SAST

Deep AI-powered code analysis

Running Scans

Trigger security scans