SAST and SCA don’t compete — they complement each other. Each one covers exactly what the other can’t see: your code on one side; the third-party dependencies surrounding it on the other. Running only one is like installing an alarm on the front door and leaving the windows open.
What Is SAST
Static Application Security Testing analyzes your application’s source code without executing it. It looks for patterns that indicate vulnerabilities:
- SQL injections (
query = "SELECT * FROM users WHERE id = " + userId) - XSS in frontend templates
- Insecure deserialization
- Hardcoded credentials
- Dangerous data flows (taint analysis)
Gerion’s scanner uses Opengrep, the community-maintained fork of Semgrep. Opengrep has rules for Python, JavaScript, TypeScript, Go, Java, Ruby, and over 20 additional languages. Because it’s fully open source, you can audit the rules it runs and add custom ones for your internal coding standards.
The advantage of SAST is that it finds problems in your code — bugs that you or your team introduced, often tied to specific business logic that no generic CVE database could anticipate.
What Is SCA
Software Composition Analysis analyzes the third-party dependencies your project uses — everything in your package.json, requirements.txt, go.mod, or pom.xml.
It looks for:
- Dependencies with known CVEs
- Licenses incompatible with your business model
- Dependencies with no active maintenance
- Outdated versions with known vulnerabilities
Gerion uses OSV-Scanner, Google’s scanner that queries the OSV (Open Source Vulnerabilities) database — the most comprehensive and up-to-date in the ecosystem, covering packages from npm, PyPI, Go, Maven, Cargo, and many more.
The advantage of SCA is that 80% of a modern application’s code is third-party code. If you’re not analyzing it, you have a massive blind spot — and that blind spot is actively maintained by attackers who track CVE databases in real time.
The Coverage They Give Each Other
Neither SAST nor SCA covers the other’s territory:
| SAST | SCA | |
|---|---|---|
| Your code | ✓ | ✗ |
| Dependencies | ✗ | ✓ |
| Known CVEs | Partial | ✓ |
| Insecure logic | ✓ | ✗ |
| Licenses | ✗ | ✓ |
A concrete example: you have an authentication function with a SQL injection bug (SAST catches it) and you’re also using a version of jsonwebtoken with a signature verification CVE (SCA catches it). Each tool finds what the other can’t. Running both without unifying the results, however, creates a different problem.
The Finding Fatigue Problem
The biggest risk when combining SAST and SCA isn’t technical — it’s organizational. More findings, more noise, more things to ignore.
Gerion solves this in two ways:
Branch-based prioritization: findings on main, master, or release branches carry a 10× financial multiplier. A medium CVE in a production dependency has more real impact than a critical CVE on a feature branch that will never be deployed. Prioritizing by cost rather than CVSS score changes which findings get fixed first.
Normalization: SAST and SCA produce findings in completely different formats. Gerion normalizes them into a unified model with common fields (severity, location, suggested remediation, estimated financial impact), making it possible to prioritize them together in the same dashboard and export them in a consistent format.
How to Implement It in Your Pipeline
# GitHub Actions — example with Gerion CLI- name: Gerion Security Scan run: | docker run --rm -v "$PWD:/code" \ -e GERION_API_URL=${{ secrets.GERION_API_URL }} \ -e GERION_API_KEY=${{ secrets.GERION_API_KEY }} \ ghcr.io/gerion-appsec/gerion-cli:latest scan-all /codeWith a single command you get SAST (Opengrep) and SCA (OSV-Scanner) — plus Secrets (Gitleaks) and IaC (KICS) — running sequentially, normalized, with financial impact calculated. The CLI runs inside your CI runner. Your source code never leaves your infrastructure.
Reading the Results in Gerion
Once the CLI sends findings to the platform, the Security dashboard shows all findings unified and filterable: by scanner type, severity, branch, repository, and mitigation status. The Executive dashboard translates the same data into a Technical Debt figure, a Savings Realized chart, and a Security Health Grade.
The practical result: a SAST finding of a SQL injection in main/src/api/users.py (line 47) and an SCA finding of CVE-2024-45490 in libexpat 2.5.0 appear in the same list, both with an estimated remediation cost, both ranked by financial impact. Your next security sprint practically writes itself.