{"id":"https://openalex.org/W7116869814","doi":"https://doi.org/10.1145/3727967.3756838","title":"A Systematic Literature Review on Static Application Security Testing (SAST) Tools: Evaluation, Benchmarks, Challenges, and Future Directions","display_name":"A Systematic Literature Review on Static Application Security Testing (SAST) Tools: Evaluation, Benchmarks, Challenges, and Future Directions","publication_year":2025,"publication_date":"2025-06-17","ids":{"openalex":"https://openalex.org/W7116869814","doi":"https://doi.org/10.1145/3727967.3756838"},"language":null,"primary_location":{"id":"doi:10.1145/3727967.3756838","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756838","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3727967.3756838","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120056882","display_name":"Doaa Dalaq","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":true,"raw_author_name":"Doaa Dalaq","raw_affiliation_strings":["Information and Computer Science department, King Fahd University of Petroleum and Mineral, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0009-0007-5670-484X","affiliations":[{"raw_affiliation_string":"Information and Computer Science department, King Fahd University of Petroleum and Mineral, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121122973","display_name":"Kaniz Fatima Daya","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Kaniz Fatima Daya","raw_affiliation_strings":["Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0009-0001-8582-4433","affiliations":[{"raw_affiliation_string":"Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5119756121","display_name":"Alaa Dalaq","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Alaa Dalaq","raw_affiliation_strings":["Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0009-0003-6819-1069","affiliations":[{"raw_affiliation_string":"Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121115219","display_name":"Muhammed Nazmul Arefin","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Muhammed Nazmul Arefin","raw_affiliation_strings":["Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0000-0001-9869-3981","affiliations":[{"raw_affiliation_string":"Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5121058855","display_name":"Mahmood Khan Niazi","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Mahmood Khan Niazi","raw_affiliation_strings":["Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0000-0001-7318-7644","affiliations":[{"raw_affiliation_string":"Information and Computer Science department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5120056882"],"corresponding_institution_ids":["https://openalex.org/I134085113"],"apc_list":null,"apc_paid":null,"fwci":2.8049,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.93980208,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"162","last_page":"168"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.3479999899864197,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.3479999899864197,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.3377000093460083,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.046300001442432404,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/test-suite","display_name":"Test suite","score":0.5935999751091003},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5698999762535095},{"id":"https://openalex.org/keywords/systematic-review","display_name":"Systematic review","score":0.4823000133037567},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.446399986743927},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4422999918460846},{"id":"https://openalex.org/keywords/suite","display_name":"Suite","score":0.42289999127388},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.37549999356269836},{"id":"https://openalex.org/keywords/unit-testing","display_name":"Unit testing","score":0.36820000410079956},{"id":"https://openalex.org/keywords/software-testing","display_name":"Software testing","score":0.3571000099182129},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.35109999775886536}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7045000195503235},{"id":"https://openalex.org/C151552104","wikidata":"https://www.wikidata.org/wiki/Q7705809","display_name":"Test suite","level":4,"score":0.5935999751091003},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5698999762535095},{"id":"https://openalex.org/C189708586","wikidata":"https://www.wikidata.org/wiki/Q1504425","display_name":"Systematic review","level":3,"score":0.4823000133037567},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.446399986743927},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4422999918460846},{"id":"https://openalex.org/C79581498","wikidata":"https://www.wikidata.org/wiki/Q1367530","display_name":"Suite","level":2,"score":0.42289999127388},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.39910000562667847},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.37549999356269836},{"id":"https://openalex.org/C148027188","wikidata":"https://www.wikidata.org/wiki/Q907375","display_name":"Unit testing","level":3,"score":0.36820000410079956},{"id":"https://openalex.org/C2984328558","wikidata":"https://www.wikidata.org/wiki/Q188522","display_name":"Software testing","level":3,"score":0.3571000099182129},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.35109999775886536},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.33719998598098755},{"id":"https://openalex.org/C87007009","wikidata":"https://www.wikidata.org/wiki/Q210832","display_name":"Statistical hypothesis testing","level":2,"score":0.3345000147819519},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.33410000801086426},{"id":"https://openalex.org/C135945739","wikidata":"https://www.wikidata.org/wiki/Q1211457","display_name":"Software release life cycle","level":5,"score":0.33160001039505005},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.3255000114440918},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.3199999928474426},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.3174999952316284},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.3158000111579895},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.31209999322891235},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.31189998984336853},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3091999888420105},{"id":"https://openalex.org/C188598960","wikidata":"https://www.wikidata.org/wiki/Q7705805","display_name":"Test strategy","level":3,"score":0.30630001425743103},{"id":"https://openalex.org/C82214349","wikidata":"https://www.wikidata.org/wiki/Q657339","display_name":"Software metric","level":5,"score":0.3046000003814697},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.30250000953674316},{"id":"https://openalex.org/C95922358","wikidata":"https://www.wikidata.org/wiki/Q5432725","display_name":"False positive rate","level":2,"score":0.2896000146865845},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.28540000319480896},{"id":"https://openalex.org/C112789634","wikidata":"https://www.wikidata.org/wiki/Q18207010","display_name":"False positives and false negatives","level":3,"score":0.2791000008583069},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.27889999747276306},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.2761000096797943},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.2676999866962433},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.26330000162124634},{"id":"https://openalex.org/C10272871","wikidata":"https://www.wikidata.org/wiki/Q929972","display_name":"Software inspection","level":5,"score":0.2628999948501587},{"id":"https://openalex.org/C154446701","wikidata":"https://www.wikidata.org/wiki/Q4209964","display_name":"Fagan inspection","level":2,"score":0.2563999891281128}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3727967.3756838","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756838","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3727967.3756838","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756838","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":8,"referenced_works":["https://openalex.org/W2773017930","https://openalex.org/W2976928731","https://openalex.org/W3038935150","https://openalex.org/W3202871865","https://openalex.org/W4285490400","https://openalex.org/W4298219515","https://openalex.org/W4386893544","https://openalex.org/W4390933267"],"related_works":[],"abstract_inverted_index":{"Context":[0],"Static":[1],"Application":[2],"Security":[3],"Testing":[4],"(SAST)":[5],"tools":[6,32,62,279],"play":[7],"an":[8,46],"important":[9],"role":[10],"in":[11,72],"finding":[12],"software":[13,21,301],"vulnerabilities":[14,35],"during":[15],"the":[16,20,28,90,127,145,201,217,228,233,253,295],"first":[17],"phase":[18],"of":[19,30,59,89,101,213,247,255],"security":[22,182],"testing":[23],"pipeline":[24],"and":[25,36,57,66,94,124,138,155,173,208,222,283,289],"development.":[26],"Yet,":[27],"aptness":[29],"these":[31,278],"to":[33,143,195,260,276,280,285,299],"find":[34],"their":[37,70,291],"incorporation":[38],"into":[39],"Continuous":[40],"Integration/Continuous":[41],"Deployment":[42],"(CI/CD)":[43],"pipelines":[44],"is":[45,269],"open":[47],"research":[48,52,106],"area.":[49],"Objective:":[50],"This":[51],"provides":[53],"a":[54,110,164,176,243,257],"systematic":[55,80],"analysis":[56],"comparison":[58],"popular":[60,154],"SAST":[61,267],"(i.e.,":[63],"SonarQube,":[64],"Checkmarx,":[65],"Bandit)":[67],"based":[68],"on":[69,159],"capability":[71],"vulnerability":[73,261],"detection":[74,139],"within":[75,294],"CI/CD":[76],"pipelines.":[77],"Methodology:":[78],"A":[79],"literature":[81],"review":[82,98],"(SLR)":[83],"process":[84,99],"was":[85,153,175,187],"performed,":[86],"making":[87],"use":[88],"methodology":[91],"by":[92],"Kitchenham":[93],"Charters":[95],"[12].":[96],"The":[97,184,250],"consisted":[100],"six":[102],"stages:":[103],"1)":[104],"defining":[105],"questions,":[107],"2)":[108],"developing":[109],"search":[111],"strategy,":[112],"3)":[113],"selecting":[114],"relevant":[115],"studies,":[116],"4)":[117],"assessing":[118],"study":[119],"quality,":[120],"5)":[121],"extracting":[122],"data,":[123],"6)":[125],"synthesizing":[126],"findings.":[128],"Three":[129],"performance":[130,158],"metrics,":[131,216],"including":[132],"recall,":[133],"precision,":[134],"false":[135,171,287],"positive":[136],"rate,":[137],"accuracy,":[140],"were":[141,227],"used":[142,190],"evaluate":[144],"tool's":[146],"performance.":[147,248],"Results:":[148],"Results":[149],"revealed":[150],"that":[151,264],"SonarQube":[152],"showed":[156],"good":[157],"Java":[160],"applications,":[161],"Checkmarx":[162],"had":[163],"higher":[165],"precision":[166,282],"but":[167,191],"also":[168],"generated":[169],"more":[170,206,244],"positives,":[172],"Bandit":[174],"highly":[177],"effective":[178],"tool":[179],"for":[180],"Python":[181],"flaws.":[183],"OWASP":[185],"Benchmark":[186],"most":[188,229],"commonly":[189,230,240],"lacked":[192],"diversity":[193],"due":[194],"its":[196],"real-world,":[197],"imbalanced":[198],"nature,":[199],"whereas":[200,232],"Juliet":[202],"Test":[203],"Suite":[204],"offered":[205],"extensive":[207],"exhaustive":[209],"coverage.":[210],"In":[211],"terms":[212],"reporting":[214],"evaluation":[215],"True":[218],"Positive":[219,224],"Rate":[220,225],"(TPR)":[221],"False":[223],"(FPR)":[226],"used,":[231,241],"Youden":[234],"Index":[235],"(YI),":[236],"despite":[237],"being":[238],"less":[239],"provided":[242],"balanced":[245],"measure":[246],"Conclusion:":[249],"report":[251],"highlights":[252],"necessity":[254],"employing":[256],"holistic":[258],"approach":[259],"detection,":[262],"demonstrating":[263],"no":[265],"one":[266],"solution":[268],"best":[270],"at":[271],"everything.":[272],"Further":[273],"studies":[274],"are":[275],"target":[277],"improve":[281],"recall":[284],"reduce":[286],"positives":[288],"develop":[290],"combinatorial":[292],"treatment":[293],"current":[296],"DevSecOps":[297],"flow":[298],"enhance":[300],"security.":[302]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-05-05T08:41:31.759640","created_date":"2025-12-23T00:00:00"}