fossabot for SAST Security Review
fossabot reviews the code changed in a pull request for security issues, posting a summary comment and inline findings, and can block merges with a pre-merge check.
Overview
fossabot is an AI agent for code maintenance, including Static Application Security Testing (SAST). It reviews the code changed in a pull or merge request and reports the security issues it finds.
Before relying on SAST review, check Supported Ecosystems & Tools to confirm your programming languages are covered.
SAST review in pull requests
fossabot runs its SAST review against the files changed in a pull or merge request. Findings and recommendations appear in two places:
- A summary comment on the request.
- An inline comment on the relevant line, when fossabot can attribute the finding to a specific location.
Most teams run SAST review on every code change before it merges.


Block issues with a pre-merge check
You can enforce SAST review as a pre-merge check. This cuts down on noise: when there are no findings, the pull request simply gets a green check mark. When there are findings, the check reports them.
It is optional whether the check blocks the merge. Make it blocking when you want SAST findings to gate merges, or leave it non-blocking when you want the signal without the gate.
