Introducing our open source AI-native SAST

Datadog just released an open source SAST tool that uses AI models to find security vulnerabilities, and the interesting part isn't that they're using AI—it's how they're addressing the core problem that makes traditional SAST tools frustrating to use in practice: the false positive rate that causes teams to ignore or disable them entirely.

Traditional SAST tools operate on pattern matching and control flow analysis. They're deterministic, which sounds good until you realize they flag every instance that matches a pattern without understanding context. You end up with hundreds of warnings about SQL injection in logging statements or XSS vulnerabilities in admin-only interfaces that sanitize input three layers up the call stack. Teams either spend hours triaging noise or set the sensitivity so low they miss real issues.

The AI-native approach here uses language models trained on vulnerability patterns to understand semantic context, not just syntactic patterns. When it sees a database query with user input, it can trace back through the code to determine if sanitization actually happened, even if it's not in the immediately preceding lines. This matters because real codebases have abstraction layers—input validation might happen in middleware, framework code, or utility functions that traditional SAST can't reason about without explicit configuration.

The practical difference shows up in two places. First, detection coverage improves for vulnerability classes that require understanding business logic. Path traversal bugs, for instance, often depend on whether a file path gets normalized and validated against an allowlist. Pattern-based tools either miss these or flag every filesystem operation. An AI model can follow the data flow through normalization functions and make a more informed determination.

Second, and more importantly for day-to-day operations, the false positive rate drops enough that you can actually run this in CI without developers learning to ignore it. Datadog claims significant reduction in false positives compared to traditional tools, though the exact numbers will vary by codebase. The key is whether the signal-to-noise ratio crosses the threshold where engineers actually investigate findings instead of clicking through them.

Being open source changes the calculus for adoption. You can run it locally or in your CI pipeline without sending code to external services, which matters for regulated environments or proprietary codebases. You can also inspect what it's actually doing and tune it for your specific patterns. If your team has internal security libraries, you can potentially extend the model's understanding of those patterns rather than maintaining complex configuration files.

The obvious question is accuracy and consistency. AI models are probabilistic, which means they might miss something one day and catch it the next, or behave differently on similar code patterns. This is a legitimate concern for security tooling where determinism has value. The tradeoff is whether you prefer consistent but noisy results or more accurate but potentially variable ones. For most teams drowning in false positives, variable but accurate is the better choice.

The tool is worth evaluating if you've given up on SAST because of noise, or if you're only running it occasionally because the signal quality doesn't justify the CI time. Start with a subset of your codebase and compare findings against your existing tools to calibrate expectations before rolling it out broadly.