// Docs
What is CAST?
CAST = Continuous-on-Authoring Security Testing.
CAST vs SAST
| Model | When it runs | Main job | Typical result |
|---|---|---|---|
CAST |
while the model is still writing code | stop unsafe output before it reaches the developer | allow, redact, block |
SAST |
after code already exists | scan code for vulnerabilities | findings after generation |
DAST |
against a running app | test runtime behavior | runtime issues after deployment or staging |
IAST |
inside an instrumented app | watch real execution paths | internal runtime findings |
The point is not that CAST replaces SAST.
The point is that CAST protects a different moment: while code is being generated.
Example outcomes
| Example | What Cencurity Engine does |
|---|---|
| model outputs normal code | allow |
| model outputs a secret or token | redact |
model outputs dangerous code like eval(...) |
block |
Finding fields
| Field | Meaning | Example |
|---|---|---|
language |
code language family | python |
framework |
matched framework or artifact class | fastapi |
rule_id |
stable detection ID | cast.fastapi.auth.jwt-verify-disabled |
severity |
impact level | high |
confidence |
confidence score | high |
action |
enforcement result | block |
evidence |
matched evidence snippet | eval(user_input) |