SOOS SAST is a static application security testing tool that integrates into CI/CD pipelines and consolidates findings from multiple SAST engines into a single platform. The tool runs SAST scans via a Docker agent using engines such as Semgrep, Opengrep, and Gitleaks, as well as rule-based scanners. It also supports ingestion of SARIF-format results from external tools, and can pull findings directly from SonarQube with a single command. Results from SOOS SAST are presented alongside findings from SOOS's other modules — SCA, DAST, SBOM Management, Malware Detection, and Container scanning — in a unified dashboard. Users can search, filter, triage, assign, and report across repositories and pipelines. Key operational features include: - Full scan history with timestamped records of every scan, finding, and change for audit and compliance purposes - SLA tracking by severity and application, with due date monitoring and exception logging - Attestation support, allowing users to provide justifications for issues and export them in multiple formats - Issue management with ticket creation and closure in Jira, GitHub, Azure DevOps, and Shortcut - Policy-based PR/build gating to block code that violates severity or rule thresholds - CI/CD-native operation via Docker agent across GitHub Actions, GitLab, Jenkins, CircleCI, Azure DevOps, and other platforms SOOS SAST is designed for teams that want to centralize SAST results — whether generated by SOOS or imported from third-party tools — without replacing existing tooling.