Part 1 covered secret scanning with Gitleaks — catching credentials before they reach the repo. That's one layer. But credentials aren't the only problem in app.py . There's a SQL injection vulnerability, an eval() call that lets an attacker run arbitrary Python code, and debug mode left on. None of those are secrets. Gitleaks won't touch them. That's what SAST is for. Code repo: https://github.com/pkkht/devsecops-demo/ What SAST is SAST stands for Static Application Security Testing. It analyses your source code without running it, looking for patterns that indicate security vulnerabilities. No server needed, no database, no HTTP requests — just the code itself. The key difference from a linter: SAST is specifically looking for security issues, not style or correctness. It knows what SQL injection looks like. It knows which Python functions are dangerous. It knows that debug=True in a Flask app exposes the Werkzeug interactive debugger to anyone who can reach it.…