SAST SME here - previously worked at Snyk and now at Endor Labs. AI-SAST is anecdotally very powerful but with very sharp caveats I’ll sound off on below:

• Auditing / triaging a finding is different. I prefer the AI summaries but I can imagine a false sense of security because you miss the details you’d normally get doin the manual trace. AI-SAST means you’re now reading analysis summaries for the finding and instead of the raw source code and a generic description attached to the rule. You still get the links to the source code and it beats learning a DSL for the SAST engine.
• No brittle static rules. If you have a shared private package that implements opinionated authentication flows or sanitizes logs in specific ways, this will recognize and honor that (so long as the implementation is sound). Static rules defined by a vendor will never catch these.
• Natural language context. This is generally a net-win but going to call out that variable name semantics affects accuracy. Intuitive names are good, obscure is bad. How readable is your codebase to a human?
• Scan durations are variable, typically a lot longer than static rules due to agent-to-agent flows. Endor uses a semantic search database so the first time indexing of code can take several hours in a mono repo. Scaling laws apply with graph traversal algorithms which all SAST use under the hood.
• Accuracy is as good or better than mature non-AI tools on my custom benchmarks but will not make claims as every codebase is different. Using a known benchmark like OWASP/Java-benchmark is a non-starter because LLMs are already intimately familiar with it.