When security teams talk about "scanning" code in CI/CD, they usually mean one of two very different things: scanning the code you wrote (SAST) or scanning the open-source code you imported (SCA). Both are called "security scanners." Both produce findings with severities. But they catch almost completely different vulnerability classes.
Static Application Security Testing (SAST) reads your source code — the JavaScript, Python, Java, Go, Ruby files that your team writes — and looks for security flaws in the code itself. SQL injection in a database query. A hardcoded AWS key. An XSS vector in a template. A call to MD5 where bcrypt should be. SAST doesn't care which npm packages you installed; it analyses your code logic. When user-controlled data flows directly into a SQL query without parameterisation, SAST flags it — regardless of which database library you are using.
Software Composition Analysis (SCA) reads your dependency manifest and checks every package (direct and transitive) against a vulnerability database like OSV. If you are running [email protected], which has a known prototype pollution CVE, SCA flags it. SCA doesn't analyse your code at all — it checks the versions of packages you depend on against known-vulnerable versions. A perfect SAST run with zero findings can coexist with fifty SCA findings in your dependencies, and vice versa.
SAST cannot see: vulnerabilities introduced by the open-source packages you import; supply-chain attacks with no CVE (typosquatting, dependency confusion); runtime configuration mistakes. SCA cannot see: security bugs in the code your team writes; hardcoded credentials in your own source files; weak cryptographic choices in your own logic; framework misconfigurations. The blind spots are almost perfectly complementary. An attacker has two main paths: exploit a bug in your code (SAST territory) or exploit a bug in a library you imported (SCA territory).
The most effective CI configuration runs both in parallel. DepWarden's GitHub Action accepts both a file argument (SCA: dependency scan) and a sast-dir argument (SAST: static analysis) in a single step — no account required, one gate for both attack paths. DepWarden combines both scanners in one tool, free and without an account, covering 11 package ecosystems for SCA and 15 languages plus IaC for SAST with 300+ security rules. See also: what is SAST? and CVSS, EPSS and KEV guide.