Code Scanning

Also known as:

  • Static Application Security Testing (SAST)

What problem does it target?

SAST solutions address the need to identify security vulnerabilities in source code, bytecode, or binaries early in the software development lifecycle. They help prevent insecure code from reaching production. However, not all detected vulnerabilities are exploitable—reachability analysis helps distinguish between exploitable and non-exploitable findings.

What does this solution do?

SAST platforms:

  • Analyze source code or binaries for security flaws
  • Detect issues such as SQL injection, XSS, and insecure coding practices
  • Integrate with CI/CD pipelines for early feedback
  • Provide remediation guidance to developers

Reachability in Code Scanning

Some modern SAST tools incorporate reachability analysis to reduce false positives and prioritize findings:

  • Static reachability checks if vulnerable code paths are actually called in the codebase. This can be performed at the package or function level, with function-level analysis providing much more precise results and significant reduction in vulnerability counts. Static reachability is easy to integrate into developer workflows, supports more languages, and provides better patch guidance, but can suffer from false positives, longer scan times, and lacks runtime context.
  • Runtime reachability (see DAST and SCA) observes which components are executed in a live environment, offering more certainty and reducing false positives further. Function-level runtime reachability provides evidence of whether a vulnerable function is actually executed, offering higher certainty of exploitability and enabling application detection and response (ADR) capabilities.

The definition and implementation of reachability can vary between vendors, as determining exploitability often requires detailed environmental context.

Who is this for?

  • Development and DevSecOps teams
  • Organizations building custom software
  • Enterprises seeking to shift security left

Who might not benefit from this?

  • Teams using only off-the-shelf software
  • Projects with no access to source code

Pitfalls and remedies

Pitfall Remedy
High false positive rate Tune rules, use contextual and reachability analysis
Developer resistance Integrate into existing workflows and provide training
Limited language support Choose SAST with broad language compatibility

Sample products

  • Checkmarx
  • Veracode
  • Fortify (OpenText)
  • SonarQube
  • GitHub Advanced Security

All trademarks are property of their respective owners.
Copyright © 2025 Deepblue Consulting – All rights reserved.