What is Static Analysis?

Static analysis, also called static code analysis, is the process of analyzing a computer program to find problems in it without actually executing it. Most generally, static analysis is performed on the source code of the program with tools that convert the program into an abstract syntax tree (AST) to understand the code's structure and then find problems in it.

When applied specifically to security, static analysis is known as Static Application Security Testing (SAST).

What kind of problems can static analysis find?

Static analysis is a powerful tool to ensure software quality and robustness, and can find a number of issues in code before execution. Some of these categories of issues are:

1. Security vulnerabilities — SQL injection, XSS, command injection, and other OWASP Top 10 issues
2. Bug risks and anti-patterns — null pointer dereferences, resource leaks, race conditions
3. Violation of code style guidelines — formatting, naming conventions, documentation requirements
4. Performance issues — inefficient algorithms, unnecessary allocations
5. Dead or unused code — unreachable branches, unused variables and imports

Static vs dynamic analysis

Static analysis examines code without running it, while dynamic analysis tests running programs. Each approach has trade-offs:

Modern security programs combine both approaches, using SAST for static analysis and DAST for dynamic testing.

Limitations

Static analysis cannot detect issues that only manifest at runtime, such as configuration errors, environment-specific bugs, or problems that depend on external input. It also struggles with highly dynamic languages where types and control flow are difficult to determine statically.

See also: SAST, Dynamic Analysis, Continuous Quality, Taint Analysis