Static Application Security Testing inspects code at rest. Instead of sending traffic at a running app, a SAST tool parses the source into an abstract syntax tree (or an intermediate representation), then walks that structure looking for known-dangerous patterns: tainted data flowing into a SQL query, a secret committed in plaintext, user input reaching a shell command, a regex that backtracks catastrophically.
Because it works on the code itself, SAST runs early — in the editor, on every commit, in CI — and points at an exact file and line. That makes it the cheapest place to catch a class of bug: the finding lands while the author still has the context in their head, long before the code reaches a security review or production.
The trade-off is precision. A static analyzer reasons about all possible paths, so it can flag code that is technically reachable but practically safe (a false positive), and it can't see issues that only appear at runtime — misconfigured infrastructure, an exposed admin route, a broken auth check under real load. Mature programs pair SAST with DAST and software-composition analysis rather than treating any one of them as complete.