The great SAST dissonance: how to please every audience, at scale
Claudio Merloni, Romain Gaucher
BSidesSF 2026 · Day 2 · AMC Theatre 10
Claudio Merloni, a Staff Security Researcher at Semgrep, delivered a compelling talk at BSides SF, dissecting the pervasive challenge of achieving comprehensive Static Application Security Testing (SAST) coverage in modern, diverse software environments. Titled "The great SAST dissonance: how to please every audience, at scale," Merloni's presentation illuminated the inherent conflict between the vast and ever-evolving landscape of software libraries and frameworks, and the practical limitations of manually developing and maintaining SAST rules. He argued that traditional approaches to SAST rule creation are fundamentally unscalable, leading to significant gaps in vulnerability detection, particularly within the "long tail" of less popular but equally critical libraries and proprietary code.
AI review
Semgrep researchers present a real engineering problem — SAST coverage gaps across the long tail of library dependencies — and back it with actual customer data (80k repos, 7k unique deps) before walking through their AI-assisted pipeline to address it. The problem framing is honest and the solution is concrete, but this is ultimately a product research talk from a vendor about their own tooling, and it doesn't transcend that constraint.