# SAST (Application Code Scanning)

## StellaOps implementation
- No first-party SAST engine; platform focuses on deterministic SBOM, vulnerability ingestion, and policy evaluation rather than static code analysis.

## Trivy implementation
- Trivy does not ship a SAST analyzer; scanning targets container images, filesystems, SBOMs, and misconfiguration/secret detection only.

## Grype implementation
- Grype is limited to SBOM-driven vulnerability matching; static code analysis is out of scope.

## Snyk implementation
- The CLI routes SAST requests through Snyk Code (`snyk code test`), leveraging the SAST plugin stack under `src/lib/plugins/sast` and emitting SARIF/JSON outputs.[s1]
- Code is uploaded to Snyk’s SaaS backend for analysis, producing issue listings, severities, and remediation guidance; offline execution is unsupported.[s2]

## Key differences
- Only Snyk provides integrated SAST capabilities via Snyk Code; StellaOps, Trivy, and Grype would require external tooling for static analysis.

### References
- [s1] `/tmp/snyk-cli/src/lib/plugins/sast`
- [s2] `/tmp/snyk-cli/README.md`