SAST is not a silver bullet

The second problem with SAST is that it only detects the presence of vulnerabilities in an application — it does nothing to determine if these vulnerabilities can be exploited by an attacker. This means that even though your application may have no vulnerable code, you could still be susceptible to attack via other methods (such as SQL injection or XML external entity attacks). 

tl;dr: SAST doesn’t tell you how exploitable a vulnerability is, just whether there are any present
https://t.co/zes6JbMtSs