Logic scanner now available! Try it out
Back
Security Research - 6 min read

Is AI SAST a meme?

An honest breakdown of the benefits and downsides of AI-powered security testing. We explore ZeroPath's approach to contextual understanding, natural language rules, and automated remediation while acknowledging the limitations.

ZeroPath Security Research

ZeroPath Security Research

2025-04-08
Is AI SAST a meme?

Distracted boyfriend meme with developer looking at ZeroPath finding a bug while ignoring manual code review

The security industry loves its buzzwords, and "AI-powered SAST" might seem like the latest marketing gimmick. But behind this terminology lies a fundamental shift in how we approach code security. At ZeroPath, we've been tackling a problem that has plagued static analysis for decades: false positives that waste developer time and erode trust in security tools. Like any technology, our approach has both strengths and limitations, which we'll explore throughout this post. No tool is perfect, and being transparent about where AI SAST excels and where it struggles is crucial for teams to make informed decisions.

What is AI-powered SAST, really?

Traditional Static Application Security Testing (SAST) tools scan source code for patterns that match known vulnerability signatures. They're essentially sophisticated pattern matchers—effective for finding textbook issues but notoriously bad at understanding context.

AI-powered SAST fundamentally changes this approach. Instead of just pattern matching, it builds an Abstract Syntax Tree (AST) of your code and analyzes it with language models. It tracks data flows through your application, maps component interactions, and examines security control implementations. This structural analysis helps reason about security in ways that traditional SAST cannot. We discuss these advancements in detail in our recent blog post on AI Model Progress.

For monorepos or complex repositories, the system identifies distinct applications and their relationships, gathering information about each app's purpose, tech stack, authentication mechanisms, and architecture. This application-level awareness provides context for security findings.

The False Positive Problem

Traditional SAST tools operate primarily through pattern matching and predefined rules. While effective at finding textbook vulnerabilities, they struggle with contextual understanding, leading to an overwhelming number of false positives. Let's examine the types of false alarms that have made developers rightfully skeptical of SAST results.

Common False Positives ZeroPath Eliminates

Sanitized Input Misidentification

Traditional SAST tools often flag inputs as dangerous even when they've been properly sanitized elsewhere in the codebase. ZeroPath's contextual understanding tracks data flow comprehensively, recognizing when potentially dangerous inputs have been properly validated or sanitized before use.

For example, when analyzing a Python web application, ZeroPath won't flag sanitized database queries as SQL injection risks if it can verify that proper ORM methods or parameterized queries are used, even if the sanitization happens several function calls away from the final execution.

Framework-Aware Analysis

Many frameworks provide built-in security protections that traditional SAST tools miss. ZeroPath understands modern frameworks' security models and won't flood you with alerts for "vulnerabilities" that are actually protected by framework safeguards.

When scanning a React application using properly implemented JSX, ZeroPath knows that XSS vulnerabilities are mitigated by React's automatic output encoding, while traditional tools might flag every dynamic content insertion as a potential XSS vector.

Test Code Differentiation

Many SAST tools generate alerts for intentionally vulnerable code in test files. ZeroPath intelligently separates test code from production code, understanding that mock vulnerabilities in tests don't represent actual security risks.

Dead Code Elimination

Traditional SAST tools frequently flag vulnerabilities in code that isn't actually accessible in the running application. ZeroPath maps the actual entry points and execution paths of your application, identifying which code can actually be reached from external sources. This prevents alerts on technically vulnerable but practically unexploitable code that's never executed in production environments.

The Real Challenges

Every security tool has strengths and limitations. Here are some challenges we're actively working to address:

Business Logic False Positives

Despite our contextual analysis, detecting business logic vulnerabilities remains challenging. ZeroPath can still produce false positives when analyzing complex authorization schemes or multi-step business processes, particularly when business rules are implemented across multiple services or repositories.

For example, a potential Insecure Direct Object Reference (IDOR) might be flagged even though authorization is properly handled through a separate microservice that ZeroPath doesn't have visibility into during single-repository scans.

Scan Performance on Large Codebases

While pull request scans are optimized for speed, initial full-repository scans on large codebases can be time-consuming. The depth of analysis required for contextual understanding comes with computational cost. Repositories exceeding several hundred thousand lines of code might experience longer initial scan times compared to traditional SAST tools.

Middleware Detection Challenges

One of our more frustrating limitations involves middleware detection. Depending on framework configurations, ZeroPath sometimes struggles to correctly identify security controls implemented in middleware layers. This can lead to false positives where the tool flags issues that are actually being mitigated by middleware components.

For example, in Express.js applications with custom authentication middleware, ZeroPath might flag endpoints as lacking proper authentication if the middleware is applied through non-standard patterns or dynamic route configuration. Fortunately, our context feature allows you to provide additional information about your middleware implementation to prevent these false positives, but this requires manual input.

Third-Party Dependency Limitations

ZeroPath generates an Abstract Syntax Tree (AST) for your application code, but a significant limitation is our handling of third-party dependencies. We don't analyze the internal code of dependencies, which can cause blind spots in security analysis.

This becomes particularly problematic with frameworks that use callbacks, hooks, or dynamic function invocation patterns. For example, if your application uses a framework that implements security controls through dynamically registered handlers or middleware, ZeroPath might not correctly trace these execution paths, potentially leading to false positives or missed vulnerabilities.

While our dependency scanning identifies known vulnerable packages, the deeper interaction between your code and third-party libraries may not be fully captured in our analysis model.

Multi-Repository Architecture Challenges

Complex applications spanning multiple repositories can present challenges for comprehensive security analysis. ZeroPath works best when it can trace execution flows fully, which can be limited when analyzing single repositories in isolation.

Addressing Business Logic and Context

When the system flags potential issues that turn out to be false positives in your specific environment, you can provide additional context through natural language input. This helps refine the analysis for your particular codebase.

For example, if you've implemented custom authorization logic that isn't automatically recognized, explaining this implementation helps the system incorporate this context in subsequent scans.

Developer: Is this IDOR vulnerability exploitable if we've implemented role-based access control at the API gateway level?

ZeroPath: Based on your code, I can see that the API gateway implements role checks, but the vulnerability exists because the user ID parameter in the /api/documents/:id endpoint is only validated for format, not ownership. An attacker with a valid session could still access another user's documents by changing the ID parameter, bypassing the role checks.

How We Approach Findings

When potential vulnerabilities are detected, the system allows for interactive analysis. Developers can query the findings with specific questions:

  1. "Show me the execution path for this vulnerability"
  2. "Generate a curl command that would trigger this issue"
  3. "How would you modify this patch to use our validation library?"

This direct interaction with findings helps reduce time spent on investigation and remediation planning.

Technical Implementation Details

At a technical level, we've focused on analyzing codebases as complete systems rather than isolated snippets. This approach has practical implications for security analysis:

First, we build a comprehensive source inventory that catalogs all entry points in your application - HTTP endpoints, WebSockets, and similar interfaces. This mapping helps identify which parts of the codebase are actually exposed to potential attackers.

We've also implemented natural language processing for security policy definition. You can define rules in plain English instead of specialized syntax, which simplifies the creation and maintenance of security standards.

For vulnerability prioritization, we use standard CVSS scoring to ensure consistent risk assessment. This helps development teams focus on fixing the most critical issues first based on objective criteria.

The Bottom Line

Is AI SAST a meme? In some ways, the term has become overused in marketing materials across the industry. However, there are genuine technical advancements in how static analysis can be performed.

Tools like ZeroPath can reduce false positives and identify complex vulnerabilities that traditional pattern-matching would miss. The ability to understand code in context helps filter out many of the false alarms that have made previous generations of SAST tools frustrating to use.

That said, no tool solves all problems. There are still challenges with complex business logic, third-party dependencies, and multi-repository architectures. Like any security technology, these tools work best as part of a broader strategy that includes different testing methodologies and human expertise.

The practical value isn't in buzzwords but in concrete capabilities: interactive finding analysis, contextual code understanding, and meaningful prioritization of legitimate issues. These improvements help security and development teams work more efficiently, even if they don't represent the revolutionary change that some marketing might suggest. If this is something you are interested in, we have a blog where we show you how to do Security Research with ZeroPath.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo