Static Application Security Testing (SAST) is a fundamental practice for securing the software development lifecycle, but its inner workings are often treated as a complex black box. This session peels back those layers, focusing on the core principles of static analysis using the fast, open-source Semgrep engine as our practical guide. We will explore how modern SAST moves beyond simple text searching by parsing code into Abstract Syntax Trees (ASTs) to understand its true structure and intent.
On that foundation, we will start with Semgrep (semgrep.dev), a fast, open-source SAST engine that matches code shapes across many languages. You’ll learn Semgrep’s minimal building blocks: YAML rules, patterns, and pattern combinators, metavariables and constraints, severity and metadata, and autofix for developer-friendly guidance. We’ll also cover when to switch from simple structural matching to taint mode (sources, sinks, sanitizers) for data-flow findings. Finally, we outline the basics of adopting Semgrep, including running it locally and in CI, as well as starting with community rule packs and testing rules.
Attendees leave with a clear mental model of how SAST works and a practical, open-source starting point to add precise, maintainable code checks to their DevSecOps workflows.
Learn for free, join the best tech learning community
Event notifications, weekly newsletter
Access to all content
