I Built a SAST Scanner from Scratch and Ran It Against 4 Famous Vulnerable Apps — Here's What It Found

Static Application Security Testing (SAST) tools are a staple of any mature AppSec programme. Tools like Semgrep, Bandit, and SonarQube are used daily by security engineers to catch vulnerabilities before code ships to production. But how do they actually work under the hood? As part of my transition from 13 years of software engineering into application security, I built my own SAST scanner from scratch in Python and ran it against four of the most well-known intentionally vulnerable applications in the OWASP ecosystem. This post covers what I built, how I tested it, and what the results tell us about real-world vulnerability patterns. What I Built The tool is a language-agnostic, regex-based static analysis scanner with a YAML-driven rule engine. The core design decisions were: YAML rules over hardcoded logic. Every detection is a YAML file — no code changes required to add new vulnerability patterns. This mirrors how production tools like Semgrep work, and means a security team coul