What is SAST, and Why It Matters

Static Application Security Testing (SAST) analyzes source code — without executing it — to find security vulnerabilities before they ever reach production: hardcoded secrets, SQL injection risks, use of insecure functions, weak cryptography, and more. Unlike dynamic testing (DAST), which probes a running application, SAST catches problems at the earliest possible stage: while the code is being written or committed.

OWASP maintains a well-known list of Source Code Analysis Tools covering many languages and licensing models. This article focuses on Bandit, an open-source SAST tool built specifically for Python codebases, chosen here because it's lightweight, free, and easy to integrate into any CI pipeline without vendor lock-in.

Why Bandit

Bandit was originally developed by the OpenStack Security Project and is now maintained under the Python Code Quality Authority (PyCQA). It works by parsing Python source code into an Abstract Syntax Tree (AST) and running a set of security-focused plugins against it — no code execution involved, which makes it fast and safe to run on any repository, including untrusted third-party code.