What it is#
tools parse the source tree — or a compiled intermediate representation — and apply taint analysis, pattern matching, and data-flow rules to find insecure sinks reachable from tainted sources. Because they see the code directly, they can point at exact file, line, and function even when the flaw has never been triggered at runtime.
Why it matters#
lives inside the developer loop. Running on every commit, it catches injection, hardcoded secrets, unsafe deserialisation, and cryptographic misuse before the change ships. It is cheapest when integrated early: a finding fixed at code review costs orders of magnitude less than the same finding caught in production.
Mitigation direction#
Tune rules aggressively. Out-of-the-box configurations flood developers with low-signal warnings and train teams to ignore the output. Promote findings to PRs only when the rule has a proven true-positive rate, and pair every suppression with a linked threat model so context survives staff turnover.