What is the difference between SAST and DAST in GitLab?

In GitLab, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) serve different purposes in securing applications.

SAST scans the application's source code, binary files, and configuration before it runs. It identifies vulnerabilities such as insecure coding practices or potential security issues at the code level during development. GitLab's SAST is integrated into the CI/CD pipeline, helping developers catch vulnerabilities early in the coding process before the application is deployed.

DAST, in contrast, operates in real-time, testing the application while it is running. It simulates real-world external attacks to find vulnerabilities in the live environment, such as cross-site scripting (XSS) or SQL injection. GitLab's DAST also integrates into the CI/CD pipeline, but it focuses on detecting security flaws outside the application during runtime, thereby ensuring its security in real-time.

In essence, SAST secures the code during development, while DAST secures the running application in real time.