This report examines the synergy between Large Language Models (LLMs) and Static Application Security Testing (SAST) to improve vulnerability discovery. Traditional SAST tools, while effective for proactive security, are limited by high false-positive rates and a lack of contextual understanding. Conversely, LLMs excel at code analysis and pattern recognition but can be prone to inconsistencies and hallucinations. By integrating these two technologies, a more intelligent and efficient system is created. This combination moves beyond mere vulnerability detection optimization, transforming security into a deeply integrated, contextual process that provides tangible benefits like improved triage, dynamic bug descriptions, bug validation via exploit generation and enhanced analysis of complex codebases. The result is a more effective security approach that leverages the strengths of both technologies while mitigating their weaknesses. SAST-Genius reduced false positives by about 91 % (225 to 20) compared to Semgrep alone.

翻译：本报告探讨了大型语言模型（LLMs）与静态应用安全测试（SAST）之间的协同作用，以改进漏洞发现。传统SAST工具虽然在主动安全方面有效，但受限于高误报率和缺乏上下文理解。相反，LLMs擅长代码分析和模式识别，但可能存在不一致性和幻觉问题。通过整合这两种技术，创建了一个更智能、更高效的系统。这种结合超越了单纯的漏洞检测优化，将安全转化为一个深度集成、上下文感知的过程，提供了切实的益处，如改进的漏洞分类、动态漏洞描述、通过漏洞利用生成进行漏洞验证，以及增强对复杂代码库的分析。其结果是一种更有效的安全方法，充分利用了两种技术的优势，同时减轻了它们的弱点。与单独使用Semgrep相比，SAST-Genius将误报率降低了约91%（从225降至20）。