LLMs in Source Code Analysis

February 21, 2025 |

How Generative AI can help SAST regain its former glory

Static Application Security Testing (SAST) is an essential component of modern software development for identifying security vulnerabilities early on. However, false positives and a lack of precision limit its effectiveness. In this article, we will show how Large Language Models (LLMs) can overcome these challenges and take SAST analysis to the next level.

The challenges of SAST analysis: SAST tools are indispensable for identifying potential vulnerabilities in source code. However, they also lead to an increased workload in identifying false positives, which leads to frustration among developers and reduces the acceptance of these tools. There is also a risk that relevant checks will be deactivated, which endangers security.

The solution: AI and SAST in tandem.

The combination of SAST scanners and LLMs offers a promising solution:

SAST scanners identify potential vulnerabilities and provide detailed information.
LLMs evaluate these findings and filter out false positives.

This two-stage approach significantly increases the precision of the analysis while maintaining the breadth of the initial SAST check.

Practical example: Successful tests in real projects.

In a study with over 5,000 findings from projects such as Mastodon, Matrix Synapse, and Keepass, models such as GPT-4 and Codestral showed impressive results. The AI-supported evaluation agreed with manual audits in many cases, and false positives were reduced by up to 99.99%.

Advantages of AI-supported SAST analysis:

Reduction of false positives: More efficient use of SAST tools.
Prioritization of critical findings: Focused manual reviews.
Increased acceptance: Less frustration for developers.
Enhanced security: Improved detection and remediation of vulnerabilities.

Conclusion: Large Language Models have the potential to revolutionize static code analysis. By reducing false positives and specifically prioritizing findings, efficiency is increased and the security of software projects is enhanced. The combination of SAST and AI is a promising approach for the future of software development.

The article appeared in the February 2025 issue of IT Spektrum from SIGS.DE

The Author

Mirko Richter

Mirko Richter is a Software Security Consultant, Source Code Analysis Specialist and Training Manager for basic training courses up to advanced coding and Secure SDLC training. He has been involved in software development, architecture and security since the mid-90s. He is a speaker at conferences and author of several technical articles.

mgm technology partners

mgm consulting partners

mgm integration partners

mgm security partners

QFS Quality First Software

Application Security Testing

Cyber Security Testing

Infrastructure Security Testing

Governance & Compliance

Security Culture & Human Risk

Application Security Basics