SAST / DAST / SBOM
Static code analysis (15+ languages), dynamic application testing with ZAP, and software bill of materials generation with CVE matching.
Prerequisites
- Source code repository path or ZIP upload
- Language(s) identified: Python, JS, Java, Go, C/C++, Rust, Ruby, .NET, Swift, Kotlin, COBOL, Solidity, etc.
- For DAST: running target URL accessible from PhantomYerra machine
- For SBOM: lock files or package manifests (requirements.txt, package.json, pom.xml, etc.)
-
1
Select SAST / DAST / SBOM from Home Screen
Click 🔍 SAST / DAST / SBOM. Select which analyses to run: SAST only, DAST only, SBOM only, or all three.
-
2
Provide Source Code
Upload a ZIP of your source code or enter a local path. PhantomYerra auto-detects languages and selects the appropriate SAST tools.
Auto-detected → SAST tool mapping: Python → Bandit + Semgrep python ruleset JavaScript → ESLint security + Semgrep JS/TS Java → SpotBugs + Find Security Bugs + Semgrep C / C++ → cppcheck + Semgrep C/C++ + Flawfinder Go → gosec + Semgrep Go Rust → cargo-audit + Semgrep Rust .NET / C# → Semgrep C# + Security Code Scan Ruby → Brakeman + Semgrep Ruby Solidity → Slither + Mythril (smart contracts) COBOL → Semgrep COBOL patterns IaC → Checkov (Terraform/CloudFormation/K8s) -
3
Claude Runs SAST + SBOM + DAST Pipeline
SAST Phase: → Run all relevant static analyzers → Deduplicate and correlate findings across tools → AI triage: remove false positives, add business context → Generate SARIF report SBOM Phase: → Syft: generate CycloneDX / SPDX SBOM from all package manifests → Grype: match components against CVE databases → License audit: identify GPL, LGPL, AGPL conflicts → Export: CycloneDX JSON, SPDX 2.3, CSV DAST Phase (if URL provided): → ZAP full active scan → Custom form fuzzer for XSS, SQLi, SSRF → OpenAPI spec testing if available -
4
Review and Export Results
The SAST page shows findings by severity and file. SBOM page shows component list with CVEs. Download SBOM in CycloneDX, SPDX, or CSV format. Generate the combined security report from Reports → SAST/DAST/SBOM Report.
Common Issues
Verify the correct ruleset is applied for your language. Use semgrep --config=auto for automatic language detection. Check that the source directory path is correct and contains actual source files (not just compiled output). Run with --verbose to see which rules are being applied.
Syft needs package manifest files to be present: requirements.txt, package.json, go.sum, pom.xml, Cargo.lock, etc. If only scanning a binary, use syft [binary] for binary SBOM analysis. Ensure lock files are included in the uploaded directory.
Use severity and confidence filters: bandit -r ./src -l -i (high severity + high confidence only). Configure .bandit config file to skip known FP patterns. PhantomYerra's AI triage layer reduces false positives automatically in Automated and Semi-Automated modes by analyzing context around each finding.