Software quality & security glossary

The terms that show up in every security review and every AI-generated pull request — defined in plain English, and tied back to exactly how GateTest scans for them.

SAST

Static Application Security Testing (SAST)

SAST analyses source code, bytecode, or binaries for security flaws without running the program — catching vulnerabilities like injection, h

DAST

Dynamic Application Security Testing (DAST)

DAST tests a running application from the outside — sending real requests to find vulnerabilities that only appear at runtime, like broken a

SCA

Software Composition Analysis (SCA)

SCA inventories the third-party and open-source dependencies in a project and flags known vulnerabilities, license risks, and unmaintained p

SARIF

Static Analysis Results Interchange Format (SARIF)

SARIF is an OASIS-standard JSON format for static-analysis results. It lets any scanner report findings — with file, line, rule id, and seve

Quality Gate

A quality gate is an automated pass/fail checkpoint in a pipeline that blocks code from merging or deploying unless it meets defined thresho

Mutation Testing

Mutation testing measures how good your tests actually are by introducing small bugs (mutants) into the code and checking whether the test s

False Positive Rate

The false positive rate is the share of a scanner's findings that aren't real problems. It's the single biggest factor in whether a security

Software Supply Chain Security

Supply-chain security protects everything your software depends on but doesn't write — open-source packages, build tools, CI pipelines, and

SBOM

Software Bill of Materials (SBOM)

An SBOM is a machine-readable inventory of every component in a piece of software — each dependency, its version, and its license. It's what

Secret Scanning

Secret scanning detects credentials — API keys, tokens, private keys, passwords — accidentally committed to source code, so they can be revo

Shift Left

Shift left means moving testing and security earlier in the development lifecycle — into the editor, the commit, and the pull request — inst

Technical Debt

Technical debt is the implied future cost of choosing a fast or easy solution now instead of a better one that would take longer. Like finan