TL;DR: I took a small Flask application with 7 classic security flaws, ran Bandit (a SAST tool from the OWASP Source Code Analysis Tools list) against it, fixed everything it found, and automated the scan with GitHub Actions so no insecure code reaches main again. Full code: GitHub repo →
What is SAST and why should you care?
Static Application Security Testing (SAST) tools analyze your source code without executing it, looking for patterns that are known to cause vulnerabilities: SQL injection, command injection, weak cryptography, hardcoded secrets, and more.
The main advantage over finding bugs in production? Cost and timing. A SAST scan runs in seconds, inside your IDE or CI pipeline, before the code ever ships. According to OWASP, SAST scales well precisely because it can run repeatedly on every build.
For this experiment I chose Bandit: an open-source SAST tool designed specifically for Python, originally developed within the OpenStack project and now maintained by PyCQA. It builds an AST (Abstract Syntax Tree) from each file and runs security plugins against it.






