Static Application Security Testing (SAST) scans source code for common vulnerability patterns, including injection flaws, authentication weaknesses, and insecure defaults. Bandit provides Python-specific security analysis; SonarQube provides multi-language analysis with quality and security rules; Semgrep provides pattern-based scanning with custom rule support.

SAST runs in the CI pipeline for every code change and blocks merges if critical or high-severity findings are identified. The AI-specific custom rules described in (demographic feature flagging, hardcoded threshold detection, missing logging detection, model registry bypass detection) extend the SAST scope to cover compliance-relevant patterns unique to high-risk AI systems.

SAST findings are tracked in the vulnerability management register alongside findings from other scanning tools. The remediation SLAs from apply. SAST scan results are retained as Module 9 evidence.

Key outputs

• SAST integration in the CI pipeline (Bandit, SonarQube, Semgrep)
• AI-specific custom rules extending standard SAST coverage
• Merge blocking on critical/high findings
• Module 9 and Module 2 AISDP evidence