What programming languages are supported?

RaSEC SAST Analyzer supports JavaScript, TypeScript, Python, Java, PHP, Go, Ruby, and other languages. The analyzer is optimized for JavaScript/TypeScript, Python, and Java.

What is the maximum code size?

The maximum code size for SAST analysis is 100KB. For larger codebases, split into logical chunks (functions, classes, modules) and analyze separately.

SAST Analyzer

Static Application Security Testing (SAST) analyzes source code to identify security vulnerabilities, insecure coding patterns, and potential security weaknesses before deployment.

Estimated reading time: 15 minutes

Overview

SAST (Static Application Security Testing) is a white-box security testing methodology that analyzes source code without executing it. SAST tools examine code for security vulnerabilities, insecure coding patterns, and potential security weaknesses.

RaSEC's SAST Analyzer uses advanced AI models to perform deep code analysis, identifying vulnerabilities that traditional pattern-matching tools might miss. It performs multi-iteration analysis with different focuses to maximize vulnerability coverage, including injection vulnerabilities, insecure functions, logic flaws, and common security anti-patterns.

Key Features: Multi-iteration analysis, AI-powered vulnerability detection, support for multiple languages, detection of injection vulnerabilities, insecure function identification, and logic flaw analysis.

How It Works

1. Code Submission

Submit your source code (up to 100KB) along with the programming language. The analyzer accepts code snippets, functions, or entire files.

2. Multi-Iteration Analysis

The analyzer performs multiple iterations (default: 2, max: 3) with different analysis focuses:

Injection vulnerabilities (SQLi, XSS, Command Injection)
Insecure functions and deprecated APIs
Logic flaws and business logic vulnerabilities
Authentication and authorization issues
Cryptographic weaknesses

3. AI-Powered Detection

Advanced AI models analyze the code context, data flow, and control flow to identify vulnerabilities that static pattern matching might miss. The AI understands code semantics and can identify complex vulnerability patterns.

4. Vulnerability Reporting

Results include detailed vulnerability reports with severity levels, descriptions, evidence, recommendations, and CWE classifications. Each vulnerability includes line numbers and code snippets when available.

Supported Languages

While RaSEC's SAST Analyzer can analyze code in any language, it's optimized for:

JavaScript/TypeScript

Node.js, React, Vue, Angular applications

Python

Django, Flask, FastAPI applications

Java

Spring Boot, Java EE applications

PHP

Laravel, Symfony, WordPress plugins

Go

Go web applications and APIs

Ruby

Rails applications

Default language is javascript if not specified.

API Reference

Endpoint

POST /api/tools/sast

Requires authentication and tools:run permission.

Code Size Limit: Maximum code size is 100KB. For larger codebases, analyze files individually or split into smaller chunks.

Request Parameters

code (required)

The source code to analyze. Must be between 1 byte and 100KB.

"code": "function login(username, password) {
  const query = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;
  return db.query(query);
}"

language (optional)

Programming language of the code. Default: "javascript"

Examples: javascript, python, java, php, go, ruby, typescript

iterations (optional)

Number of analysis iterations (1-3). More iterations provide better coverage but take longer. Default: 2

Each iteration focuses on different vulnerability types for comprehensive analysis.

Response Format

Success Response (200 OK)

{
  "success": true,
  "result": {
    "analyzedTarget": "code-snippet",
    "vulnerabilities": [
      {
        "vulnerability": "SQL Injection",
        "severity": "Critical",
        "description": "User input is directly concatenated into SQL query...",
        "impact": "An attacker could execute arbitrary SQL commands...",
        "vulnerableCode": "const query = `SELECT * FROM users WHERE username='${username}'`;",
        "recommendation": "Use parameterized queries or prepared statements",
        "cwe": "CWE-89",
        "lineNumber": 2,
        "confidence": 0.95
      }
    ]
  },
  "metadata": {
    "language": "javascript",
    "iterations": 2,
    "durationMs": 5234,
    "model": "kwaipilot/kat-coder-pro-v1:free",
    "provider": "openrouter",
    "runId": "uuid"
  }
}

Error Response (400 Bad Request)

{
  "error": "Validation failed",
  "details": {
    "fieldErrors": {
      "code": ["Code exceeds maximum size of 100KB"]
    }
  }
}

Examples

Basic Code Analysis

curl -X POST https://rasec.app/api/tools/sast \
  -H "<AUTH_HEADER>" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "function getUser(id) { return db.query('SELECT * FROM users WHERE id=' + id); }",
    "language": "javascript"
  }'

Replace <AUTH_HEADER> with your Authorization header (Bearer scheme required).

Multi-Iteration Analysis

curl -X POST https://rasec.app/api/tools/sast \
  -H "<AUTH_HEADER>" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "...",
    "language": "python",
    "iterations": 3
  }'

JavaScript Example

const code = `function login(username, password) {
  const query = `SELECT * FROM users WHERE username='${username}'`;
  return db.query(query);
}`;

const authHeader = ['Bearer', apiToken].join(' ');

const response = await fetch('https://rasec.app/api/tools/sast', {
  method: 'POST',
  headers: {
    'Authorization': authHeader,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    code: code,
    language: 'javascript',
    iterations: 2,
  }),
});

const result = await response.json();
console.log('Vulnerabilities found:', result.result.vulnerabilities.length);
result.result.vulnerabilities.forEach(vuln => {
  console.log(`${vuln.severity}: ${vuln.vulnerability}`);
});

Best Practices

Analyze Complete Functions

Include complete functions or code blocks rather than isolated lines. Context helps the AI understand data flow and identify vulnerabilities more accurately.

Use Multiple Iterations for Critical Code

Use 3 iterations for authentication, authorization, payment processing, and other security-critical code paths. Default 2 iterations are sufficient for most code.

Specify Language Correctly

Always specify the correct programming language. Language-specific analysis helps identify language-specific vulnerabilities and insecure functions.

Split Large Codebases

For code larger than 100KB, split into logical chunks (functions, classes, modules) and analyze separately. This provides better results than truncating.

Validate Findings Manually

AI-powered analysis is highly accurate but should be validated. Review each finding, verify the vulnerability exists, and check for false positives before taking action.

Integrate into CI/CD

Integrate SAST analysis into your CI/CD pipeline to catch vulnerabilities early. See the Integrations documentation for details.

Next Steps

Combine SAST with other security testing approaches:

DAST Scanner

Test running applications dynamically

API Reference

Complete API documentation

SAST Analyzer

Static Application Security Testing (SAST) analyzes source code to identify security vulnerabilities, insecure coding patterns, and potential security weaknesses before deployment.

Estimated reading time: 15 minutes

Overview

How It Works

1. Code Submission

Submit your source code (up to 100KB) along with the programming language. The analyzer accepts code snippets, functions, or entire files.

2. Multi-Iteration Analysis

The analyzer performs multiple iterations (default: 2, max: 3) with different analysis focuses:

Injection vulnerabilities (SQLi, XSS, Command Injection)
Insecure functions and deprecated APIs
Logic flaws and business logic vulnerabilities
Authentication and authorization issues
Cryptographic weaknesses

3. AI-Powered Detection

4. Vulnerability Reporting

Supported Languages

While RaSEC's SAST Analyzer can analyze code in any language, it's optimized for:

JavaScript/TypeScript

Node.js, React, Vue, Angular applications

Python

Django, Flask, FastAPI applications

Java

Spring Boot, Java EE applications

PHP

Laravel, Symfony, WordPress plugins

Go

Go web applications and APIs

Ruby

Rails applications

Default language is javascript if not specified.

API Reference

Endpoint

POST /api/tools/sast

Requires authentication and tools:run permission.

Code Size Limit: Maximum code size is 100KB. For larger codebases, analyze files individually or split into smaller chunks.

Request Parameters

code (required)

The source code to analyze. Must be between 1 byte and 100KB.

"code": "function login(username, password) {
  const query = `SELECT * FROM users WHERE username='${username}' AND password='${password}'`;
  return db.query(query);
}"

language (optional)

Programming language of the code. Default: "javascript"

Examples: javascript, python, java, php, go, ruby, typescript

iterations (optional)

Number of analysis iterations (1-3). More iterations provide better coverage but take longer. Default: 2

Each iteration focuses on different vulnerability types for comprehensive analysis.

Response Format

Success Response (200 OK)

{
  "success": true,
  "result": {
    "analyzedTarget": "code-snippet",
    "vulnerabilities": [
      {
        "vulnerability": "SQL Injection",
        "severity": "Critical",
        "description": "User input is directly concatenated into SQL query...",
        "impact": "An attacker could execute arbitrary SQL commands...",
        "vulnerableCode": "const query = `SELECT * FROM users WHERE username='${username}'`;",
        "recommendation": "Use parameterized queries or prepared statements",
        "cwe": "CWE-89",
        "lineNumber": 2,
        "confidence": 0.95
      }
    ]
  },
  "metadata": {
    "language": "javascript",
    "iterations": 2,
    "durationMs": 5234,
    "model": "kwaipilot/kat-coder-pro-v1:free",
    "provider": "openrouter",
    "runId": "uuid"
  }
}

Error Response (400 Bad Request)

{
  "error": "Validation failed",
  "details": {
    "fieldErrors": {
      "code": ["Code exceeds maximum size of 100KB"]
    }
  }
}

Examples

Basic Code Analysis

curl -X POST https://rasec.app/api/tools/sast \
  -H "<AUTH_HEADER>" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "function getUser(id) { return db.query('SELECT * FROM users WHERE id=' + id); }",
    "language": "javascript"
  }'

Replace <AUTH_HEADER> with your Authorization header (Bearer scheme required).

Multi-Iteration Analysis

curl -X POST https://rasec.app/api/tools/sast \
  -H "<AUTH_HEADER>" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "...",
    "language": "python",
    "iterations": 3
  }'

JavaScript Example

const code = `function login(username, password) {
  const query = `SELECT * FROM users WHERE username='${username}'`;
  return db.query(query);
}`;

const authHeader = ['Bearer', apiToken].join(' ');

const response = await fetch('https://rasec.app/api/tools/sast', {
  method: 'POST',
  headers: {
    'Authorization': authHeader,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    code: code,
    language: 'javascript',
    iterations: 2,
  }),
});

const result = await response.json();
console.log('Vulnerabilities found:', result.result.vulnerabilities.length);
result.result.vulnerabilities.forEach(vuln => {
  console.log(`${vuln.severity}: ${vuln.vulnerability}`);
});

Best Practices

Analyze Complete Functions

Include complete functions or code blocks rather than isolated lines. Context helps the AI understand data flow and identify vulnerabilities more accurately.

Use Multiple Iterations for Critical Code

Use 3 iterations for authentication, authorization, payment processing, and other security-critical code paths. Default 2 iterations are sufficient for most code.

Specify Language Correctly

Always specify the correct programming language. Language-specific analysis helps identify language-specific vulnerabilities and insecure functions.

Split Large Codebases

For code larger than 100KB, split into logical chunks (functions, classes, modules) and analyze separately. This provides better results than truncating.

Validate Findings Manually

AI-powered analysis is highly accurate but should be validated. Review each finding, verify the vulnerability exists, and check for false positives before taking action.

Integrate into CI/CD

Integrate SAST analysis into your CI/CD pipeline to catch vulnerabilities early. See the Integrations documentation for details.

Next Steps

Combine SAST with other security testing approaches:

DAST Scanner

Test running applications dynamically

API Reference

Complete API documentation

Table of Contents

Overview

How It Works

1. Code Submission

2. Multi-Iteration Analysis

3. AI-Powered Detection

4. Vulnerability Reporting

Supported Languages

JavaScript/TypeScript

Python

Java

PHP

Go

Ruby

API Reference

Endpoint

Request Parameters

code (required)

language (optional)

iterations (optional)

Response Format

Success Response (200 OK)

Error Response (400 Bad Request)

Examples

Basic Code Analysis

Multi-Iteration Analysis

JavaScript Example

Best Practices

Analyze Complete Functions

Use Multiple Iterations for Critical Code

Specify Language Correctly

Split Large Codebases

Validate Findings Manually

Integrate into CI/CD

Next Steps

DAST Scanner

API Reference

Table of Contents

Overview

How It Works

1. Code Submission

2. Multi-Iteration Analysis

3. AI-Powered Detection

4. Vulnerability Reporting

Supported Languages

JavaScript/TypeScript

Python

Java

PHP

Go

Ruby

API Reference

Endpoint

Request Parameters

code (required)

language (optional)

iterations (optional)

Response Format

Success Response (200 OK)

Error Response (400 Bad Request)

Examples

Basic Code Analysis

Multi-Iteration Analysis

JavaScript Example

Best Practices

Analyze Complete Functions

Use Multiple Iterations for Critical Code

Specify Language Correctly

Split Large Codebases

Validate Findings Manually

Integrate into CI/CD

Next Steps

DAST Scanner

API Reference