SAST, or Static Application Security Testing, is a white-box testing method that analyzes source code, bytecode, or binary code for vulnerabilities without executing the application. By scanning JS source files (including ES modules, frameworks like React/Vue, and embedded scripts in HTML), OWASP PTK will identify injection flaws, insecure data handling and DOM-based XSS before code ever reaches QA or production.
How to scan an application:
Click the "Scan in runtime" button and confirm it's starting
Start browsing the application you are scanning, e.g. click on different links, submit forms, etc.
Once completed open SAST scanner and stop the scan
Check the result
Rule
Module
Severity
Open Settings
Close
PTK Pro
No completed scan available to upload yet. Run or download a scan first.
Are you sure you want to run SAST scan against ?
Load
Reload this tab to enable runtime signals required for SAST.
Scan strategy:
Taint and pattern rules (recommended) - run the full built-in SAST execution mode.
Taint rules only - run only taint/dataflow rules, which is narrower and usually faster.
Scan policy:
Default (system) - use the built-in SAST modules/rules.
PTK Pro policies can appear here when available, offering advanced and customizable scanning options for Pro users.
