Static Application Security Testing (SAST) analyses source code for security vulnerabilities without executing it. DepWarden is a free SAST tool: upload a source zip or run the CLI/GitHub Action, and it scans your code for SQL injection, XSS, hardcoded credentials, weak cryptography, framework misconfigurations, and 300+ more vulnerability classes — across 15 languages, with no account.
DepWarden's SAST engine covers: Web/backend — JavaScript, TypeScript, Python, Java, Go, PHP, Ruby, C#. Systems — C, C++, Rust. Mobile — Kotlin (Android), Swift (iOS), Scala. Scripting — Shell / Bash / Zsh / Fish. Infrastructure as Code — Terraform/HCL, YAML (GitHub Actions, Kubernetes), Dockerfile. Config/secrets — .env files, PEM/key files, connection strings in config files.
Injection vulnerabilities (CWE-89, CWE-78, CWE-79): SQL injection, NoSQL injection, OS command injection, LDAP injection and Cross-Site Scripting — using intra-file taint analysis that confirms user-controlled data reaches the dangerous sink before firing, keeping false positives low.
Hardcoded credentials (CWE-798): AWS/GCP/Azure keys, GitHub tokens, Stripe live keys, private RSA/EC keys, JWT secrets, database connection strings with embedded passwords — across source files, IaC and config files.
Weak cryptography (CWE-327, CWE-326): MD5 or SHA-1 for password hashing, DES or RC4 usage, ECB mode encryption, hardcoded initialization vectors, 1024-bit RSA keys, old TLS versions.
Insecure configuration: Django DEBUG = True, CSRF protection disabled, CORS wildcard origins, Spring Actuator fully exposed, Kubernetes privileged containers, Dockerfile running as root, GitHub Actions script injection.
Framework-specific rules: Django, Spring Boot, Express/Node.js, Ruby on Rails, Laravel, ASP.NET Core — each with framework-idiomatic patterns for CSRF bypass, mass assignment, unsafe redirects and SQL string interpolation.
API and web security: JWT none algorithm, JWT decoded without signature verification, SSRF via user-controlled URL, open redirect, GraphQL introspection in production, timing-attack-vulnerable token comparison.
Mobile: Android WebView JavaScript enabled, external storage for sensitive data, iOS NSLog with sensitive data, weak keychain accessibility, SSL pinning bypass patterns.
Shell script security: eval injection, wget/curl pipe-to-shell execution, world-writable temporary files, unquoted variable expansion leading to word splitting.
DepWarden uses a three-tier analysis approach. Pattern matching covers the broadest surface using regular expressions for known-dangerous constructs — fast and high recall. AST analysis via tree-sitter parses supported languages into a syntax tree and finds structural patterns that regex cannot express cleanly. Taint analysis tracks data flow from untrusted sources (HTTP parameters, form inputs) to dangerous sinks (SQL queries, shell commands, HTML output). Injection-class rules only fire when the taint path is confirmed, which is why DepWarden's SQLi/XSS/command-injection rules produce far fewer false positives than pure pattern-matching scanners.
SAST finds security bugs in the code your team writes. SCA finds vulnerabilities in the open-source packages you import. Their blind spots are almost perfectly complementary: SAST catches SQL injection in your code but not a CVE in lodash; SCA catches the lodash CVE but not SQL injection in your code. DepWarden runs both in one tool, one GitHub Action, no account. Related: SAST vs SCA guide, software composition analysis, free vulnerability scanner.