alt Hacker NewsMost of these vulnerabilities could have been discovered much earlier had the same security researchers pointed a SAST tool at the codebase.
I wrote an OSS PHP SAST tool 6 years ago, but it's suffered from industry neglect — most people only care about security after an incident, and PHP has enough magical behaviour that any tool needs to be tuned to how specific repositories behave.
I agree there's a big opportunity for LLMs to take this work forward, filling in for a lack of human expertise.
Where can I learn more about SAST, and do you have a link to your tool?
I stood up a Dokuwiki instance recently and had Qwen look through the codebase, and it didn't find anything critical. It identified "fragile patterns", though.