WAFs dont work well with APIs either
Web Application Firewalls (WAF) are another common tool used by AppSec teams to protect web applications from external attack, and they too suffer from the same problem as SAST tools in that they were not designed for use with APIs. WAFs typically inspect HTTP requests and responses looking for patterns of attacks such as SQL injection or cross site scripting (XSS). Unfortunately, this approach doesnt work very well with APIs since most modern frameworks do a good job of protecting against these types of attacks at the framework level
https://t.co/zes6JbuT0U