### Static Application Security Testing (SAST) basic features

If you’re using GitLab CI/CD, you can use Static Application Security Testing (SAST) to check your source code for known vulnerabilities.

Different features are available in different GitLab tiers, as shown in the following table:

Capability | In Free | In Ultimate
-- | -- | --
Configure SAST Scanners | ✓ | ✓
Customize SAST Settings | ✓ | ✓
View JSON Report | ✓ | ✓
Presentation of JSON Report in Merge Request | X | ✓
Address vulnerabilities | X | ✓
Access to Security Dashboard | X | ✓
Configure SAST in the UI | X | ✓
Customize SAST Rulesets | X | ✓
False Positive Detection | X | ✓

https://docs.gitlab.com/ee/user/application_security/sast/#summary-of-features-per-tier  

#### Reports JSON format  

SAST outputs a report file in JSON format. The report file contains details of all found vulnerabilities. To download the report file, you can download the file in merge requests page.

![Download JSON format](./json-format.png)  

Example project using Static Application Security Testing (SAST): [Demo SAST](https://jihulab.com/ultimate-plan/demo/sast-demo/-/tree/3-test-new-policy-name)