BLAST is currently in private beta and is not enabled by default. If you’re interested in participating in the beta, please reach out to our support team for more details.

Overview

BLAST (Business Logic Application Security Testing) is Corgea’s next-generation code scanning solution, designed to detect and fix security vulnerabilities in application code, with a particular emphasis on business logic, authentication and code flaws. Unlike traditional Static Application Security Testing (SAST) tools, BLAST uses advanced AI-driven techniques to enhance detection accuracy, reduce false positives, and provide actionable insights for developers and security teams.

By leveraging the power of Large Language Models (LLMs) combined with static analysis, BLAST delivers a deeper contextual understanding of code, allowing it to detect vulnerabilities that standard SAST tools might miss. This document provides a technical overview of how BLAST works, what it can detect, and how it integrates into development workflows.

Key Features

Vulnerability Classes Detected

BLAST excels at detecting business logic vulnerabilities, which are often missed by traditional SAST tools. Below are some of the specific vulnerabilities detected by BLAST:

In addition to business logic vulnerabilities, BLAST can also detect common security flaws found in regular SAST scanning.

Secret Scanning Capabilities

BLAST’s secret scanner uses pattern matching, entropy analysis, and AI-powered contextual understanding to minimize false positives while ensuring comprehensive coverage.

Detected Secret Types

  • API keys and tokens (AWS, Google Cloud, Azure, etc.)
  • Authentication credentials
  • Database connection strings
  • Private keys and certificates
  • OAuth tokens
  • Personal access tokens
  • Encryption keys
  • Environment variables
  • Internal endpoints
  • Payment credentials
When secrets are detected, BLAST provides detailed information about the type, location, security impact, and secure storage alternatives.

Technology Behind BLAST

BLAST is powered by Corgea’s proprietary CodeIQ technology, combining AI with Abstract Syntax Trees (ASTs) for comprehensive analysis:

1

Project-Level Analysis

BLAST parses the entire project to build a complete picture of code component interactions, ensuring no vulnerabilities are missed.

2

Contextual Intelligence

The AI engine understands code context, including middleware, configurations, and templates.

3

False Positive Reduction

Context and logic understanding reduces false positives common in traditional tools.

Comparison to Traditional Methods

Traditional static analysis techniques have significant limitations:

  • Source-sink analysis misses validation steps
  • Call-graphs miss runtime behaviors
  • Vector search and RAG suffer from overgeneralization

Integration and Workflow

Integration Points

  • CI/CD Pipelines: Automatic scanning at commits/PRs
  • Pull Request Reviews: Pre-merge vulnerability analysis
  • IDE Integration: Real-time feedback during development

Supported Languages and Frameworks

  • C#
  • Python
  • Ruby
  • Go
  • JavaScript
  • TypeScript
  • Java
Language & Framework SupportUploading Scans