All news with #sast tag

🔍 AWS Security Agent now offers a preview of full repository code review, an AI-driven capability that performs deep, context-aware analysis across entire repositories. It models application architecture, trust boundaries, and data flows rather than relying on pattern matching, and returns developer-ready findings with structured evidence and concrete remediation. The feature is designed to complement existing SAST tools and is available in preview at no additional charge while AWS solicits customer feedback.

🔒 AWS today introduced full repository code review in AWS Security Agent, a capability that performs deep, context-aware security analysis across entire codebases. Unlike traditional static scanners, it reasons about architecture, trust boundaries, and data flows to surface systemic vulnerabilities. When issues are identified, the scanner generates file- and line-specific remediation guidance and exploit proofs-of-concept to accelerate fixes; preview access is available at no extra charge in all Regions.

🛡️ GitHub is integrating AI-based scanning into Code Security to extend vulnerability detection beyond CodeQL, targeting ecosystems like Shell/Bash, Dockerfiles, Terraform, PHP and more. The hybrid model preserves CodeQL for deep semantic analysis while using AI to increase coverage in areas hard for traditional static analysis. Findings and suggested fixes appear directly in pull requests, and a public preview is expected in early Q2 2026.

🛡️ Anthropic launched a limited research preview of Claude Code Security, triggering sharp market moves as stocks of major cybersecurity vendors dropped. The tool claims to reason about code like a human, trace data flows, find complex vulnerabilities, and suggest targeted patches that appear in a review dashboard with confidence ratings. Anthropic says every finding undergoes a multi-stage verification and requires human approval, but experts warn about outsourcing critical security judgments to an evolving model and highlight risks from hallucinations, asymmetric attacker advantage, and single points of trust.

🛡️ Anthropic has introduced Claude Code Security, an AI feature now in a limited research preview for Enterprise and Team customers that scans software codebases for vulnerabilities and proposes targeted patches for human review. The company says the tool reasons about component interactions and traces data flows, going beyond pattern-based static analysis. Findings pass a multi-stage verification process to reduce false positives and receive severity and confidence ratings. Anthropic stresses a human-in-the-loop model: suggested fixes require developer approval.

🔍 Intruder scanned 5 million applications for secrets in built JavaScript bundles and found over 42,000 exposed tokens across 334 secret types. Many were active, high-risk credentials — including 688 repository tokens (GitHub/GitLab) and API keys for project management tools like Linear, some granting full access to private repos and CI/CD secrets. Traditional scanners, SAST, and DAST missed many of these because the secrets were introduced during build and lived only in bundled front-end code. The research highlights the urgent need for SPA spidering and explicit bundle scanning to prevent production leaks.

🔒 Application security now demands both static code analysis and runtime testing to secure the software supply chain. This article reviews leading SAST and DAST tools that help developers find vulnerabilities early and in running applications, covering deployment models, CI/CD and IDE integrations, and features like secret scanning, IAST, managed services, and compliance checks. Vendors highlighted include Checkmarx, Fortify, Acunetix, Veracode, and others.

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.

🛡️ OpenAI Aardvark is an autonomous GPT-5-based agent that scans, analyzes and patches code by emulating a human security researcher. Rather than only flagging suspicious patterns, it maps repositories, builds contextual threat models, validates findings in sandboxes and proposes fixes via Codex, then rechecks changes to prevent regressions. OpenAI reports it found 92% of benchmark vulnerabilities and has already identified real issues in open-source projects, offering free coordinated scanning for selected non-commercial repositories.

🛡️AI developer assistants accelerate coding but introduce significant security risks across generated code, configurations, and development tools. Studies show models now compile code far more often yet still produce many OWASP- and MITRE-class vulnerabilities, and real incidents (for example Tea, Enrichlead, and the Nx compromise) highlight practical consequences. Effective defenses include automated SAST, security-aware system prompts, human code review, strict agent access controls, and developer training.

🚀 Google is previewing two Gemini CLI extensions that bring security analysis and Cloud Run deployment directly into your terminal. The security extension introduces /security:analyze to scan local git diffs for issues such as hardcoded secrets, injection flaws, broken access control, and insecure data handling, and returns clear remediation guidance or optional fixes. The Cloud Run extension adds /deploy, a one-command flow to build, containerize, push, and configure services on Cloud Run, returning a public URL and supporting terminal, VS Code agent mode, and Cloud Shell.