Datadog has open sourced an AI-native Static Application Security Testing (SAST) tool that uses LLMs to detect code vulnerabilities with greater accuracy than traditional rule-based approaches. The tool works in four steps: heuristic-based file identification, context retrieval, LLM-based analysis, and post-processing with false-positive filtering. To manage cost, it performs a full scan at onboarding and then only rescans files when their content or context changes. Benchmarked against the OWASP framework, the AI-native solution significantly outperforms traditional SAST on context-dependent vulnerabilities like SQL injection (86% vs 63% true positive rate) and command injection (90% vs 59%). The codebase is available on GitHub, though incremental analysis requires a Datadog subscription. Future plans include exploring agentic scanning techniques for deeper contextual reasoning.
Table of contents
What is AI-native SAST?How does Datadog’s AI-native SAST feature work?Fine-tuned performanceEvaluating accuracy against the OWASP BenchmarkWhy open source it?The future of AI-enhanced SAST at DatadogSort: