Static code analysis (SAST) scans source code without executing it — finding hardcoded credentials, injection flaws, buffer overflows, and insecure function calls automatically.
SAST integrates into IDEs and CI/CD pipelines. Finds bugs early (cheapest fix). High false positive rate needs tuning. Doesn't find runtime/config issues (DAST's strength). Defense: make SAST a quality gate in the CI pipeline.