DAST — Dynamic Application Security Testing
DAST scans your running infrastructure and applications from the outside, simulating what an attacker would see.
- Works by probing live targets: domains, IP addresses, web apps
- Finds vulnerabilities in deployed software, network services, and configurations
- Does not require access to source code
- Results appear in Issues
DAST is managed through Targets and Scans.
SAST — Static Application Security Testing
SAST scans your source code before or after deployment, looking for vulnerabilities in the code itself.
- Works by analyzing code in your Git repositories
- Finds insecure coding patterns, exposed secrets, and vulnerable dependencies
- Does not require a running application
- Results appear in Feed
SAST is managed through Repositories and Integrations.
Why use both
DAST and SAST find different classes of problems:
| Layer | What DAST finds | What SAST finds |
|---|---|---|
| Network | Open ports, exposed services | — |
| Application | CVEs in deployed software, HTTP misconfigs | Insecure code patterns, SQL injection in code |
| Code | — | Hard-coded secrets, vulnerable dependencies |
A vulnerability might be detectable only by one method. Combining both gives you the most complete coverage across your attack surface.