SAST is not a silver bullet
The second problem with SAST is that it only detects the presence of vulnerabilities in an application it does nothing to determine if these vulnerabilities can be exploited by an attacker. This means that even though your application may have no vulnerable code, you could still be susceptible to attack via other methods (such as SQL injection or XML external entity attacks).
tl;dr: SAST doesnt tell you how exploitable a vulnerability is, just whether there are any present
https://t.co/zes6JbMtSs